Re: Horizon 7.4 with old Tera1 clients

curtisbrown_01 · ‎01-25-2018

Hi All,

This one is entertaining me!

I have a nice new Horizon 7.4 Connection Server (no load balancer) set up with a single pool of a handful of desktops. It's all working fine if you use HTML5 or traditional clients. However, the customer has some old Tera1 based Wyse P20 zero clients. Now, with previous releases, Tera1 based clients would log onto the broker without much difficulty, but couldn't load a session - the fix was to enable TLSv1 in PCoIP. Less than ideal, but it worked.

With more recent releases (at least 7.4, but I've heard 7.3 too), however, the situation is worse. The problem now starts at the Connection server itself, before we even try to launch a session. At first, the zero client was being prevented from connecting to the Connection Server at all. I isolated this to a TLS error - adding TLSv1 to Locked.properties (using secureProtocols.1=TLSv1) moved me forward - the client will now connect to the Connection server enough to provide a Domain logon box.

However, if I try and log on with an entitled user (directly assigned to the pool or Cloud Pod Entitlement), the client states 'not authenticated' and drops you back to the logon screen. The Events database happily says that the user is authenticated. If I put in a bad password, it tells me I've got a bad username or password - so the client is being passed authentication information properly when there's an intentional failed attempt.

Any ideas before I look at tearing it down and go for 7.1 (the earliest that supports vSphere 6.5U1 and might work)? And before you ask - yes, I know the Tera1 chipset hasn't been supported since 6.0.....

jlay3 · ‎01-31-2018

We're using Terra1 on 7.3.2 and have enabled the TLS v1 in the registry on all connection and security servers. We also had to add registry entries in the golden image. We don't have a problem connecting to the connection servers or logging in to the desktops after doing this. We experienced this TLS change in version 6 something but I can't remember which one.

Follow this KB: VMware Knowledge Base

Basically you're adding TLS1.0 to the entries. Keep in mind the security risks that may come from this.

Connection and Security: reg add "HKLM\Software\Teradici\SecurityGateway" /v "SSLProtocol" /t REG_SZ /d tls1.2:tls1.1:tls1.0 /f

Golden Image: reg add "HKLM\Software\Teradici\PCoIP\pcoip_admin" /v "pcoip.ssl_protocol" /t REG_SZ /d tls1.2:tls1.1:tls1.0 /f

curtisbrown_01 · ‎02-01-2018

I'm familiar with the TLS fix for PCoIP sessions, the issue was hitting the connection servers itself. After much fighting with it, we eventually nailed it down to a firmware issue - put the latest release onto the client and we were running.

Thanks anyway.

ksliger_pnfp · ‎02-01-2018

Hey Curtis, I was in a similar situation and made the switch to Wyse ThinOS based thin clients. We have been really happy with them and they are capable of supporting BLAST when the customer is ready to make the switch. We are using the 5060 stand alone and the 5040 all in one. You may already know all of that but just wanted to chime in with a recommendation for them.