View
343
Download
0
Embed Size (px)
DESCRIPTION
VDI - Zero Client Printing Solution
Citation preview
Economies of Scale - Zero Clients
ZERO CLIENT DEPLOYMENT WITH IPP/RPC HYBRID SaaS SOLUTION
A Solution for Zero Clients Utilizing an Internal Built Solution
BY BRIAN MURPHY / www.vcissgroup.com
Cost Save: High
Areas: CAPEX, TCO, ROI
Summary
Technology has been around for some time but never used in this capacity, that I'm aware. Maybe someone
beat me too it but I originally created this draft article back in 2010. I've implemented the solution, I designed
the solution after being given the question of "Can you make printing a viable, cost effective solution versus us
bringing in developers that want to charge us $300,000.00 to create a print solution". This is what I came up
with and built out the proof of concept.
If you have Windows 2008R2 Print Servers or even earlier, you can enable IPP and simply change the website
to Integrated (Print GUI). Internal load balancers, external load balancers, split DNS if necessary to keep one
FQDN like print.mycompany.com which is DELEGATED to the load balancer which must have:
1. Load Balancing by proximity
2. GSLB
I’m basing this draft on what I know from previous readings. It requires more research
to see what we can do with the ADMX file that goes with this solution but I know that what I’m writing as of
now will work if implemented as stated but we do need to create a formal step-by-step and testing.
This has the potential to greatly simply printing for Zero Client but is NOT a end-all-be-all for all
customers where something like Google Cloud Print mightvery well provide a better solution if mostly
WFH users and by no means does it impact our standard offering for non-Zero client which should be and
hopefully will never change: (below)
Citrix Universal Printer Driver only
Disable install of native drivers
Map Default Client Printer Only
Provide Universal Printer Object and XML Viewer (Client) for ALL other local printers
defined on the client workstation that does not fall underZero Client classification
Note: This new solution solves more than just Zero Client!
The Solution for having Internal Zero Client Print Offering
Does this exist today? The technology does, we just have to gi
ve it life. Can we implement today with existingequipment?
Yes
Does it cost anything in terms of new CAPEX? No, should be able to utilize existing infrastructure and servers
Is it secure? YES, HTTPS on the front-
end website > Printer Gateway just passes traffic to customer print server. There are additional adva
ncedlogging features on the IIS server that we can forward to our collection
server. Did we decide on the collection server?
How can I put this….It resolves your issue and question regarding the zero client in a way that is a possible long term resolution. It immediately allows anyzero clients to print to any registered printer on the customer network. The solution is internal but users connect from anywhere. IPP rules don’t apply.I’m calling this ICP –Private Cloud Printing Service (PCPS).
It resolves the Zero Client WFH printer issue but requires
additional administrative work – for the customer. We certainly don’t want to get in theprinter busine
ss. (Home Printing Only).
1. It requires setting up a dummy printer on the print server that matches the users’ printer and driver. W
hen I
say driver, the best case scenario is havingthe customer update their driver to the latest driver hosted o
n the customer print server and choose the output as “USB” or LPT for example.Next, thePrinter Name
must match the name on the client machine.
2. Keep in mind, they are already running the virtual desktop
which is already authenticated so what would normally be Internal facing
VIP or service wejust made a private cloud printing service.It is merely an interface for the Zero
clients to use (web based).
3. This is probably not documented anywhere but IPP as
a protocol has been around for some time and I’ve done this with Server 2003. It does require acustom
er resource for sure and they must follow the best practices defined by our team initially.
We have several options for the customer, each having pros and cons.
Leveraging Windows 2008 R2 we are going to take advantage of what is referred to as RPC over HTTPS. IPP
or RPC witt HTTPS over TCP 443 combined with II7 allows us to present a DYNAMIC print server list of
printers in Web Interface.
But that is Internet? Why go internal if made for internet? Because we can and we thought of it first!
Well, it was not really made for Internet other than it allowed for connecting to printers at work from home in a
secure manner. We are going to use this to connect to printers internally in a secure manner from a
device that does not support printing but the OS does and using GPO we can allow this to happen inthe write
cache.
There has never been a need until now, with ZERO CLIENT. Think about it, it provides the ability to print over
the internet using RPC encapsulated in HTTPS.Yet, it is perfect
for this specific scenario – a fact that we should take full advantage of before others catch on and become the
first to create the ZERO CLIENT printing!
If you turn it on internal then it defaults to RPC and you can use Windows Integrated Login for
the website so the ZERO Client running the Windows OS connects to the website and the OS and website are
now communicating and the ZERO Client doesn't care at this point that you are printing RPC. Printer is
automatically installed. Printer is now available to print. More than likely, there is probably a way
to automate this further.
Option 1
Host the Private Cloud Printing Service (PCPS) in a dedicated infrastructure
zone. Multiple clients per PCPS, clients only see their printers due to one-way-trust. Redirect output to print
servers at each site or we can host a dedicated customer print server with standard drivers
– policies configured to useUPD regardless - another MT-Print Server with all the printers for all customers in
the Domain or even IP based and provide access to the Printer ManagementConsole for each customer.
Option 2
Place a PCPS at each location where the customer maintains a file server and in this case they will need to add
the WFH printers to that server.
Option 3
There are always more options. I’m just documenting what I am thinking at this moment.
Benefits
Private Cloud Printing Service (PCPS) makes it possible for VDI running
Windows OS to use printers that are located anywhere in the world, using anyclient, can print to the closest c
orporate owned printer.
A website is presented to the customer with a list of printers to which they have access; this can be >
printers or
fax machines or
multi-purpose devices.
The Private Cloud Printing Service (PCPS) Gateway Server can be hosted in the client segment but must have a registered IP and URL that is merelyInternal accessible. As an option, we can consolidate all “printers” to the client subnet in a dedicated customer zone and IPP web interface to contact thisserver instead of placing multiple Private
Cloud Printing Service (PCPS) Gateway Servers in the customer environment. Although this is an option the following must be considered:
We do not want to be in printing driver business; customer must manage
Printing output to printers in remote offices experience slowness (However)
o Possible resolution is the remote office Branch Repeater product from Citrix
This provides faster printing
This provides faster file copies
This provides faster ICA/HDX compression and speed
This provides faster application
traffic for SQL, Oracle and certain others Note: Requires Platinum Edition ofXenDesktop
but is more than worth the expense for what you get.
Side Note: Why you SHOULD buy PLATINUM.
Branch Repeater
XenApp as application consolidation –
o Platinum allows Xenapp or XenDesktop connects
HDX WAN Optimization for high-end graphics
Edgesight
o Monitoring and Reporting
o Trending
o Forensics Historical Analysis Suite
Edgesight for virtual desktops
Edgesight for Netscaler
Edgesight for Branch Repeater
SSO – Single Sign On
o SSO for Customer Business Applications
Quick Summary
Keep in mind, users are already authenticated. They are simply remote. By exposing a website or websites as
a VIP to a VDI that is already authenticated
allows for Integrated Logon. The site will not be searchable, you are not required to authenticate like with regu
lar IPP due to having the one-way-trust.Internal infrastructure already exists.
How does it work!
The “Private Cloud Printing Service (PCPS)” process is as follows:
From a client computer user types the internal URL for a printing device (Option 1)
o Created as Favorites in Profile
VDI customer types in URL of the website hosting PCPS relay components
o User is authenticated using Integrated Logon (must be enabled – not on by default)
o User is presented with a list of printers to which they have access
o User clicks printer, printer is installed, printer is now available to Zero Client
The RPC (internal) request is sent over the LAN or MPLS customer “Private Cloud
Printing Service (PCPS)”
server
o Hosted per customer segment and can exist on the customer owned file server
o However, preferred is create a “Delivery” segment due to one-way-trusts you can actually host every customer printer on one ICPserver but the more we host the more resources we need but this is better than one or two per customer segment
o The other option is to have the customer host an ICP
per segment where the print servers reside
After the server authenticates the user utilizing Integration, the server presents status information to the user by using Active ServerPages (ASP), which contains information about currently available printers to which they have access
When the client first tries to connect to any of the printers it searches for a local driver. o The Zero Client does not allow this but in this case the VDI and writecache would allow, although only per session. o Our Private Cloud Printing Service (PCPS) server generates a cabinet file (.cab file, also known as a setup file) that contains theappropriate printer driver files.
o The print server downloads the .cab file to the VDA.
o The user on the client computer is prompted to download the .cab file
o Prompt can be removed by GPO.
o It is “possible” that we can remove the CAB file download and just have the virtual OS perform a “logical mapping” and send outputdirect (GPO). I would be surprised if this is not an option. o The client computer downloads the printer driver and connects to the printer by using RPC due to this being an “Intranet” LAN/WANprinting.
o Internal Printing Protocol (IPP) is an option if
client wishes for a more secure option where the traffic is HTTPS/RPC.
o All of this is controlled by an extensive ADMX file for GPO
o With a Medium-high or Medium security zone, IPP is used, and with a Medium-low security zone, RPC is used.
At this point, the virtual OS that is running on the Zero Client is now able to print using our
Gateway service and it was all internal.
Additional Recommendations
The print server can use IIS and other technologies to collect and log extensive data about the user, the computer that sends the printing request, and the request itself. If we can use the Windows collection service this would be a perfect fit to enhance security and provide auditing for customer.
It might be possible to turn off the CAB file download and print direct. I think this is
in the GPO but have not had time to research. Hopefully, more to come on his one but as is
it resolves the Zero Client Issue utilizing existing technology.
Many have used this article to implement Zero Client and free RPC/IPP internal printing using print servers
that already exist simply enable IPP printing and you have a web GUI on that print server.
But differentiation is all about being extreme, rewarding the best and weeding out the ineffective. Rigorous
differentiation delivers real stars—and stars build great businesses.
Welch, Jack; Byrne, John A. (2003-10-01). Jack: Straight from the Gut
I was blunt and candid and, some thought, rude. My language could be coarse and impolitic. I didn’t like
sitting and listening to canned presentations or reading reports, preferring one-on-one conversations where
I expected managers to know their businesses and to have the answers. I loved “constructive conflict” and
thought open and honest debates about business issues brought out the best decisions. If an idea couldn’t
survive a no-holds-barred discussion, the marketplace would kill it. Larry Bossidy, a good friend and former
GE vice chairman, would later liken our staff meetings to Miller Lite commercials. They were loud, raucous,
and animated.
Welch, Jack; Byrne, John A. (2003-10-01). Jack: Straight from the Gut
Eventually, I learned that I was really looking for people who were filled with passion and a desire to get
things done. A résumé didn’t tell me much about that inner hunger. I had to “feel” it.
Welch, Jack; Byrne, John A. (2003-10-01). Jack: Straight from the Gut
Brian Murphy
101 E. Park Blvd, STE 711
Plano, TX 75074
(M) 214.476.4513