VDI - Zero Client Printing Solution

Economies of Scale - Zero Clients

ZERO CLIENT DEPLOYMENT WITH IPP/RPC HYBRID SaaS SOLUTION

A Solution for Zero Clients Utilizing an Internal Built Solution

BY BRIAN MURPHY / www.vcissgroup.com

Cost Save: High

Areas: CAPEX, TCO, ROI

Summary

Technology has been around for some time but never used in this capacity, that I'm aware. Maybe someone

beat me too it but I originally created this draft article back in 2010. I've implemented the solution, I designed

the solution after being given the question of "Can you make printing a viable, cost effective solution versus us

bringing in developers that want to charge us $300,000.00 to create a print solution". This is what I came up

with and built out the proof of concept.

If you have Windows 2008R2 Print Servers or even earlier, you can enable IPP and simply change the website

to Integrated (Print GUI). Internal load balancers, external load balancers, split DNS if necessary to keep one

FQDN like print.mycompany.com which is DELEGATED to the load balancer which must have:

1. Load Balancing by proximity

2. GSLB

I’m basing this draft on what I know from previous readings. It requires more research

to see what we can do with the ADMX file that goes with this solution but I know that what I’m writing as of

now will work if implemented as stated but we do need to create a formal step-by-step and testing.

This has the potential to greatly simply printing for Zero Client but is NOT a end-all-be-all for all

customers where something like Google Cloud Print mightvery well provide a better solution if mostly

WFH users and by no means does it impact our standard offering for non-Zero client which should be and

hopefully will never change: (below)

Citrix Universal Printer Driver only

http://www.vcissgroup.com/

Disable install of native drivers

Map Default Client Printer Only

Provide Universal Printer Object and XML Viewer (Client) for ALL other local printers

defined on the client workstation that does not fall underZero Client classification

Note: This new solution solves more than just Zero Client!

The Solution for having Internal Zero Client Print Offering

Does this exist today? The technology does, we just have to gi

ve it life. Can we implement today with existingequipment?

Yes

Does it cost anything in terms of new CAPEX? No, should be able to utilize existing infrastructure and servers

Is it secure? YES, HTTPS on the front-

end website > Printer Gateway just passes traffic to customer print server. There are additional adva

ncedlogging features on the IIS server that we can forward to our collection

server. Did we decide on the collection server?

How can I put this….It resolves your issue and question regarding the zero client in a way that is a possible long term resolution. It immediately allows anyzero clients to print to any registered printer on the customer network. The solution is internal but users connect from anywhere. IPP rules don’t apply.I’m calling this ICP –Private Cloud Printing Service (PCPS).

It resolves the Zero Client WFH printer issue but requires

additional administrative work – for the customer. We certainly don’t want to get in theprinter busine

ss. (Home Printing Only).

1. It requires setting up a dummy printer on the print server that matches the users’ printer and driver. W

hen I

say driver, the best case scenario is havingthe customer update their driver to the latest driver hosted o

n the customer print server and choose the output as “USB” or LPT for example.Next, thePrinter Name

must match the name on the client machine.

2. Keep in mind, they are already running the virtual desktop

which is already authenticated so what would normally be Internal facing

VIP or service wejust made a private cloud printing service.It is merely an interface for the Zero

clients to use (web based).

3. This is probably not documented anywhere but IPP as

a protocol has been around for some time and I’ve done this with Server 2003. It does require acustom

er resource for sure and they must follow the best practices defined by our team initially.

We have several options for the customer, each having pros and cons.

Leveraging Windows 2008 R2 we are going to take advantage of what is referred to as RPC over HTTPS. IPP

or RPC witt HTTPS over TCP 443 combined with II7 allows us to present a DYNAMIC print server list of

printers in Web Interface.

But that is Internet? Why go internal if made for internet? Because we can and we thought of it first!

Well, it was not really made for Internet other than it allowed for connecting to printers at work from home in a

secure manner. We are going to use this to connect to printers internally in a secure manner from a

device that does not support printing but the OS does and using GPO we can allow this to happen inthe write

cache.

There has never been a need until now, with ZERO CLIENT. Think about it, it provides the ability to print over

the internet using RPC encapsulated in HTTPS.Yet, it is perfect

for this specific scenario – a fact that we should take full advantage of before others catch on and become the

first to create the ZERO CLIENT printing!

If you turn it on internal then it defaults to RPC and you can use Windows Integrated Login for

the website so the ZERO Client running the Windows OS connects to the website and the OS and website are

now communicating and the ZERO Client doesn't care at this point that you are printing RPC. Printer is

automatically installed. Printer is now available to print. More than likely, there is probably a way

to automate this further.

Option 1

Host the Private Cloud Printing Service (PCPS) in a dedicated infrastructure

zone. Multiple clients per PCPS, clients only see their printers due to one-way-trust. Redirect output to print

servers at each site or we can host a dedicated customer print server with standard drivers

– policies configured to useUPD regardless - another MT-Print Server with all the printers for all customers in

the Domain or even IP based and provide access to the Printer ManagementConsole for each customer.

Option 2

Place a PCPS at each location where the customer maintains a file server and in this case they will need to add

the WFH printers to that server.

Option 3

There are always more options. I’m just documenting what I am thinking at this moment.

Benefits

Private Cloud Printing Service (PCPS) makes it possible for VDI running

Windows OS to use printers that are located anywhere in the world, using anyclient, can print to the closest c

orporate owned printer.

A website is presented to the customer with a list of printers to which they have access; this can be >

printers or

fax machines or

multi-purpose devices.

The Private Cloud Printing Service (PCPS) Gateway Server can be hosted in the client segment but must have a registered IP and URL that is merelyInternal accessible. As an option, we can consolidate all “printers” to the client subnet in a dedicated customer zone and IPP web interface to contact thisserver instead of placing multiple Private

Cloud Printing Service (PCPS) Gateway Servers in the customer environment. Although this is an option the following must be considered:

We do not want to be in printing driver business; customer must manage

Printing output to printers in remote offices experience slowness (However)

o Possible resolution is the remote office Branch Repeater product from Citrix

This provides faster printing

This provides faster file copies

This provides faster ICA/HDX compression and speed

This provides faster application

traffic for SQL, Oracle and certain others Note: Requires Platinum Edition ofXenDesktop

but is more than worth the expense for what you get.

Side Note: Why you SHOULD buy PLATINUM.

Branch Repeater

XenApp as application consolidation –

o Platinum allows Xenapp or XenDesktop connects

HDX WAN Optimization for high-end graphics

Edgesight

o Monitoring and Reporting

o Trending

o Forensics Historical Analysis Suite

Edgesight for virtual desktops

Edgesight for Netscaler

Edgesight for Branch Repeater

SSO – Single Sign On

o SSO for Customer Business Applications

Quick Summary

Keep in mind, users are already authenticated. They are simply remote. By exposing a website or websites as

a VIP to a VDI that is already authenticated

allows for Integrated Logon. The site will not be searchable, you are not required to authenticate like with regu

lar IPP due to having the one-way-trust.Internal infrastructure already exists.

How does it work!

The “Private Cloud Printing Service (PCPS)” process is as follows:

From a client computer user types the internal URL for a printing device (Option 1)

o Created as Favorites in Profile

VDI customer types in URL of the website hosting PCPS relay components

o User is authenticated using Integrated Logon (must be enabled – not on by default)

o User is presented with a list of printers to which they have access

o User clicks printer, printer is installed, printer is now available to Zero Client

The RPC (internal) request is sent over the LAN or MPLS customer “Private Cloud

Printing Service (PCPS)”

server

o Hosted per customer segment and can exist on the customer owned file server

o However, preferred is create a “Delivery” segment due to one-way-trusts you can actually host every customer printer on one ICPserver but the more we host the more resources we need but this is better than one or two per customer segment

o The other option is to have the customer host an ICP

per segment where the print servers reside

After the server authenticates the user utilizing Integration, the server presents status information to the user by using Active ServerPages (ASP), which contains information about currently available printers to which they have access

When the client first tries to connect to any of the printers it searches for a local driver. o The Zero Client does not allow this but in this case the VDI and writecache would allow, although only per session. o Our Private Cloud Printing Service (PCPS) server generates a cabinet file (.cab file, also known as a setup file) that contains theappropriate printer driver files.

o The print server downloads the .cab file to the VDA.

o The user on the client computer is prompted to download the .cab file

o Prompt can be removed by GPO.

o It is “possible” that we can remove the CAB file download and just have the virtual OS perform a “logical mapping” and send outputdirect (GPO). I would be surprised if this is not an option. o The client computer downloads the printer driver and connects to the printer by using RPC due to this being an “Intranet” LAN/WANprinting.

o Internal Printing Protocol (IPP) is an option if

client wishes for a more secure option where the traffic is HTTPS/RPC.

o All of this is controlled by an extensive ADMX file for GPO

o With a Medium-high or Medium security zone, IPP is used, and with a Medium-low security zone, RPC is used.

At this point, the virtual OS that is running on the Zero Client is now able to print using our

Gateway service and it was all internal.

Additional Recommendations

The print server can use IIS and other technologies to collect and log extensive data about the user, the computer that sends the printing request, and the request itself. If we can use the Windows collection service this would be a perfect fit to enhance security and provide auditing for customer.

It might be possible to turn off the CAB file download and print direct. I think this is

in the GPO but have not had time to research. Hopefully, more to come on his one but as is

it resolves the Zero Client Issue utilizing existing technology.

Many have used this article to implement Zero Client and free RPC/IPP internal printing using print servers

that already exist simply enable IPP printing and you have a web GUI on that print server.

But differentiation is all about being extreme, rewarding the best and weeding out the ineffective. Rigorous

differentiation delivers real stars—and stars build great businesses.

Welch, Jack; Byrne, John A. (2003-10-01). Jack: Straight from the Gut

I was blunt and candid and, some thought, rude. My language could be coarse and impolitic. I didn’t like

sitting and listening to canned presentations or reading reports, preferring one-on-one conversations where

I expected managers to know their businesses and to have the answers. I loved “constructive conflict” and

thought open and honest debates about business issues brought out the best decisions. If an idea couldn’t

survive a no-holds-barred discussion, the marketplace would kill it. Larry Bossidy, a good friend and former

GE vice chairman, would later liken our staff meetings to Miller Lite commercials. They were loud, raucous,

and animated.


Eventually, I learned that I was really looking for people who were filled with passion and a desire to get

things done. A résumé didn’t tell me much about that inner hunger. I had to “feel” it.


Brian Murphy

101 E. Park Blvd, STE 711

Plano, TX 75074

(M) 214.476.4513

[email protected]