Whitepaper

Setup Guide IGEL Linux and USB Redirection Version 1.00

Sponsored by:

Blog: blog.cloud-client.info Website: www.cloud-client.info This document can be distributed / used free of charge and has no commercial background. It’s not allowed to use parts of this document in other documentations, articles or any other way without the permission by the author. For questions related to the document contact [email protected] The author is not responsible for any damage related to this document incl. usage of 3 rd Party Software or configuration suggestions provided by this document. Please test any provided information in advance! © Michael Hoting 2014

Whitepaper: Setup Guide IGEL Linux and USB Redirection

Page 1

Task You want to use USB devices together with a Terminal Server / VDI? Here is how to go…

Requirements -

A Thin Client/PC with the IGEL Linux (OS/LX) installed A supported environment, support solutions (native) are: - Remote Desktop Services (Windows Server 2012 / 2012 R2, Windows 8 / 8.1 / 7, attention Windows 7 based VDI’s must be running on Hyper-V with an assigned RemoteFX Graphic Card) - Citrix XenDesktop Version 4 and higher - Citrix XenApp Version 7.5 and higher - VMWare View with enabled and used PCOIP protocol, other protocols are not support. For other none native solutions you can also use Fabulatech USB for Remote Desktop, this solutions require the installed Fabulatech USB for Remote Desktop server component at the Terminal Server or VDI. Please note: Only USB for Remote Desktop is supported, extra Fabulatech license fees do apply. If you want to buy Fabulatech Licenses don’t forget to mention to be an IGEL customer, it will reduce the fees a little bit. A trial version is also available and should be used to verify the solution in advance.

Important Server Operating Systems require pre-installed device drivers! You can’t use USB redirection with a Server OS if drivers for devices are not available and installed on the Server, this is by design and it must work in this way. Just think about what happens on a Terminal Server with 20 Users or more and a User is able to install a driver… Reboot and all Users are offline. Great! Prevent extremely stupid things, here are the Top 10: 1) Do never map USB based Network devices, this will drop established connections you know? 2) Do never map DVD or Blue Ray drives to create/write DVD’s or Blue Ray, can your network handle the full USB Speed? Mostly no and the result will be a lot of damaged DVD’s or Blue Ray discs. 3) Do never map devices which can’t deal with latency, this could be Smart Cards, Imaging devices (like Swiss PayPen or some Business Card scanners); you will get crazy results.. 4) Be careful with Human Interface Devices (Mouse, Keyboard and Display Touch Panel), it will be not available anymore for local Applications at the Client. 5) USB Redirection is not supported by any Mobile Phone Vendor, for some Vendors like Apple or Microsoft it’s forbidden thru the EULA. If something happens here you may lost any support and warranty so check this for all devices you want to redirect in advance!!! Whitepaper: Setup Guide IGEL Linux and USB Redirection

Page 2

6) Always be aware what you are doing, you map a hardware thru the Network to a server/desktop and a driver is a very sensible thing. It might happen that this will result in: Blue Screens, Server freezes and similar negative effects. Test everything in advance, use USB redirection only if really required and never use it in general or for a large group of devices or users! Consider if using a WiFi connection that also the device is now connected thru the Air and not thru a cable. Depending on the device this can result in funny effects on the server site if the connection is not stable. Compare it to plug in / plug off the USB cable very fast on a local PC. 7) Be aware that USB redirection can create a huge amount of network traffic by design (USB 2.0 Specs up to 480mb/s=60mb/s effective per device, USB 3.0 Specs up to 5gb/s = 625mb/s effective per device). Your network must be able to deal with it… 8) Do never ever use USB redirection with USB based Display Adapters! This will create fun in the network and on the backend and this will often result in nice Blue Screens in your sever backend. 9) Be aware that some Vendors don’t deal with the USB Power Specs (5v with 0,5a=2,5w for USB 2.0), Thin Clients by design are low voltage devices (20w power supply) and are not able to handle USB devices which consumes much more power like defined in the USB specifications. It might be required to use a Y-cable or an extra power supply for the USB device you want to redirect. This issue always pops up after the driver is installed and the driver try so grant more power to the USB port. Typical behavior, you plug in a device and you see the driver installs. After the driver is available the device is not available anymore or listed as none working device, if this happens very often the device got insufficient power. 10) Don’t try to get support from a Hard- or Software vendor for a device which is not working thru USB redirection, they will not provide you any support. USB Redirection will never be 100% compatible and be aware that everything you are doing is on your own risk.

At least…. Only a complete moron will perform a USB firmware device update thru USB redirection! I just want to make this very clear!

Please Note This Whitepaper is provided for free without any warranty or support from Citrix, VMWare, Microsoft, Fabulatech, IGEL Technology, BCD-Sintrag AG or cloud-client.info. All configuration tasks are done at your own risk, we are not responsible for any damage related to the use of this whitepaper. Do not perform these configurations in a running production environment! User might by disconnected from session or the infrastructure cannot be available during the configuration steps. This Whitepaper covers only the basic and most important configuration settings which are required to get it running. Special configurations, Tweaks and similar are not part of this Whitepaper. Whitepaper: Setup Guide IGEL Linux and USB Redirection

Page 3

Where are USB redirection setting’s located For VMWare View, Microsoft RDP/Remote Desktop Services and Citrix Sessions you will always find the settings/configurations in the session global configuration. For example for Citrix Sessions:

Native USB redirection always means it’s the USB redirection coming with the solution itself, so in this case the USB redirection coming with XenDesktop 4/5.x/7.x or XenApp 7.5. As alternative you have also for Citrix and Microsoft the Fabulatech USB redirection available. Be aware that Fabulatech USB redirection requires an add-on component installed on the server. Do not mix native and Fabulatech USB redirection or enable both at the same time! Why Fabulatech? Fabulatech is useful in scenarios where the Terminal Server/VDI solution do not offer a “native” USB redirection, as example Windows Server 2008R2 RDS or Citrix XenApp 6.5. So it provides an add-on feature, Fabulatech is licensed per User that uses USB Redirection. One thing is important to know for the Fabulatech USB redirection setup, a change made in ICA Global>Fabulatech USB Redirection will also apply in RDP Global->Fabulatech USB Redirection. This behavior is related to the fact that two times the same Fabulatech solution is used and this solutions is available for Citrix ICA and Microsoft RDS.

Whitepaper: Setup Guide IGEL Linux and USB Redirection

Page 4

Difference between Class- and Devicerules Class Rules do apply for a USB device class, this means if you enable USB redirection for the USB Mass Storage Device class all devices assigned to this class will be redirected. It’s a simple way to allow a bunch of different devices for USB redirection but it could be also dangerous. As example if you allow the Class Human Interface Device to redirect a Sign Pad or a Drawboard this will result also in a USB redirection for the Mouse and the Keyboard, so the Mouse and the Keyboard are redirected and can’t be used with local available Application running on the local Thin Client (like IGEL Setup, Firefox Browser or another Terminal Server/VDI session). A device rule is based on a unique Vendor (VID) and Product ID (PID), this means all devices coming with the same VID and PID will be redirected. Typical this is only one device Modell like a Fingerprint Reader (see sample), dealing with the PID and VID will provide you a very detailed control about the redirected devices.

The screenshot is from the Windows Device Manager (sorry, it’s in German) but here yon can see the Vendor ID marked in red and the Product ID marked in green. Important for PID and VID, if different revisions of a device type are available it could be that these different revisions are coming with different PID’s. This means, you might have to create several configurations for one device type. If dealing with a Server OS as Terminal Server/VDI you might also be forced to install several drivers in this case, Vendors sometimes provide single drivers for different revisions for one device model. For low budget memory devices you can also see that a couple of different devices always came with the same PID and VID, so it’s not a solution to add USB Storage security at his point. 

Note: If you want to add USB device security (has nothing to do with USB redirection) please refer to our Blog article: http://blog.cloud-client.info/?p=384 The article is already more than one year old but the procedure is still valid for current IGEL Linux based Firmware’s.

Whitepaper: Setup Guide IGEL Linux and USB Redirection

Page 5

USB 3.0 Redirection Some IGEL devices are coming with USB 3.0 Ports and devices connected to these Ports can be used thru drive mapping redirection, this doesn’t mean that these Ports can be also used for USB redirection! Products currently supporting USB 3.0 on the Server Site: VMWare View min. Version 5.3.x with Limitations, see VMWare Knowledgebase. Citrix XenDesktop/XenApp min. Version 7.6. Microsoft RemoteFX, no real Information’s available but it seems to be unsupported at the moment (Windows 8.1 / Windows Server 2012 R2 and earlier) or produces a lot if issues. Source: Microsoft Technet Forum’s Fabulatech USB for Remote Desktop Version 5.0.4. Please note: This doesn’t mean that the current Agent for Linux do support this feature out of the box! Please verify this in advance. How can you test this? Just setup USB Redirection and connect the device to a USB 3.0 port (Blue connector) and start a session, if the device is available in the session USB 3.0 is supported. If the device is not available close the session and plugin the device to a USB 2.0 Port (Black connector), now start the session again. If the device is available now, USB 3.0 is not supported. In case that you see no device again verify your configuration at the Client and the Server.

Left: USB 2.0 Ports in Black Right: USB 3.0 Port If you have migrated some none IGEL devices with the Universal Desktop Converter to the IGEL Linux, please note that some vendors also use black connectors for the USB 3.0 ports: In this case refer to the device manual where the USB 3.0 ports are located.

Whitepaper: Setup Guide IGEL Linux and USB Redirection

Page 6

Special Notes related to Microsoft RemoteFX There are some notes we want to add to RemoteFX based USB Redirection. First of all USB Redirection with RemoteFX is not available for Windows 2008R2 in general and virtual Windows 7 based VDI’s without a assigned RemoteFX GFX Card. Also if you are using Windows 8.x based VDI’s or Windows 2012 R2 you should know that a USB device is not always a USB device for RemoteFX. One sample: You can redirect a WiFi Dongle, Bluetooth Token (to Windows 7/8 only, Windows Server OS do not support Bluetooth!), Keyboard, Flatbed Scanner, Webcam or a XBOX 360 Controller but it will not work for MTP based devices. Here Microsoft seems to handle the devices different and this is currently not supported with the IGEL Linux RDS Client or better explained, we never got it to work with a Smart Phone (tested with Windows Phone 8.1 and some Android based devices) with communication based on MTP. So a bunch of Smart Phones will not work and/or are not supported, this is not directly mentioned by Microsoft but If you read TechNet or some RemoteFX related Blogs you will see that Microsoft often describes USB Devices and MTP based devices in relationship with Plug and Play device support for RemoteFX. This different wording points to different handling with RemoteFX. So if you want to deal with MTP communication based USB devices please note: It will currently not work with the IGEL Linux and you have to use a Windows based client or Fabulatech USB redirection.

Remember: For Windows Server OS install the driver first! If USB redirection is not working with one or more USB devices together with a Windows Server OS (2012 or 2012 R2 only) check the Windows Device Manager, for example if you redirect a XBOX 360 Controller to a Server OS and the driver was not installed in advance it will look in this way: The picture is in german but if you open the device you will get more details, the error message will be “Device driver is not installed (Code 28)”. It’s not possible to install the driver for the device at this point thru the device manager! For Windows Desktop OS Versions the behavior is different, here the driver will be installed similar to a regular Desktop/Laptop. If you don’t see any USB device in the Windows device manager verify that USB redirection is enabled on the Server or search the Web for a solution, USB redirection is very tricky and different solutions can create different results. A device working with VMWare based USB redirection don’t have to work with another one and so on… There is no guarantee at all!

Whitepaper: Setup Guide IGEL Linux and USB Redirection

Page 7

A sample Setup Here is one sample how a setup can look like, the sample is based on Microsoft RemoteFX but for Citrix XenDeskop or XenApp (7.5) and Fabulatech the Setup will be similar so one sample should be enough. Target: USB Redirection for two devices, a XBOX 360 Game Controller and a Western Digital MyPassport HDD with enabled Password protection, the last device do require USB redirection regarding the fact that WD don’t offer a Linux Application to unlock the device. Only these two devices should be used with USB redirection, USB class redirection for a bunch of devices should not be used at all. Step1 First of all you need to do your basic session setup and to make sure that USB redirection is available for your Terminal Server VDI’s. This is already done in my setup and do not require any special steps for the IGEL Linux. Step 2 Gain the USB device ID’s, this can be done in several ways. 1) Thru a Windows Device Manager, see page 5. 2) Open the local IGEL Setup and browse to Devices->Hardware Info and start the Hardware Info Tool. Now select USB Device and scoll down the list for the wanted USB devices, select a USB device and write down the Vendor and Product ID (see screen below). Red=Vendor ID/Green=Product ID

Whitepaper: Setup Guide IGEL Linux and USB Redirection

Page 8

3) Open a Linux Terminal (command line) and execute the command “lsusb”. Red=Vendor ID/Green=Product ID

Do this for all devices you want to use with USB redirection, of course you can also deal with the class id but I don’t recommend this at all. Step 3 Open the IGEL Setup or the UMS Profile where you have done the global session setup, in my case it’s Sessions->RDP->RDP Global->Native USB Redirection. Create a new device rule by selecting the star in the device rules panel and enter the first rule like the sample shown to the right. If you got the PID and/or VID as three digit number like 45e or 28e add a leading zero like 045e or 028e. Repeat this for all devices you want to use with USB redirection. The result should look like the picture below.

Whitepaper: Setup Guide IGEL Linux and USB Redirection

Page 9

Step 4 Now start the configured session to the VDI or Terminal Server and login with your credentials. If connecting thru the Remote Desktop Gateway for Remote Desktop Services make sure that Plug and Play devices are also enabled in the RD Gateway resource policy too! Step 5 In the Session I can now see three devices, one the XBOX 360 Controller which is working fine. The WD Harddisk is shown as two device, one working and none one working. This behavior is related to the fact that the Harddisk mounts a virtual CD-ROM Drive which contains the un-lock Software and this device is not working at all. If I open the device to get more details in the device manager the following error is shown: The device could not be started (code 10) STATUS_DEVICE_POWER_FAILURE This issue can happen and currently it can’t be fixed, this should demonstrate that a device can be redirected but still it can’t be used in the session; there is no way to fix it at this point. Of course the result could be different with another solution… Please test everything in advance, USB redirection could be a great help but it’s not easy to setup and it’s also no guarantee that you can use a device in a session.

The End Whitepaper: Setup Guide IGEL Linux and USB Redirection

Page 10