Project with Raspberry PI 4, WTWARE and smartcards

[k0rmok]

Hi all,
i need a bit of advice on the best practise for our project.
We are certain that we want to make the project work this way but we have some doubts on how to do it.

1 - In a VMWARE cluster we installed a machine with Windows 2016 Datacenter Edition. This is the machine we want to use for all the users with raspberry to connect to.
2 - We have another Windows 2016 Datacenter machine that is the Domain controller.

First doubt: For this to work we need a device cal for every raspberry pi with wtware and a rds cal for each too, right? Do i need to add the license to the machine with that purpose or can the licenses be added to the domain controller? Is it RDS cal that we need?

Second doubt: Some of the raspberry's are for medical doctors so they will need to use their card to make medical prescriptions. Is this possible? And how?

Our idea was to have laptops only for the people that need a complete system. All the other users (around 120) would use raspberry pi with wtware and make a remote session where they could find the ERP, Office 365 Essentials, and Email.

Give me your thoughts and help.

thanks in advance.

[Fraal]

Hi K0rmok,

You're on the right path, you will need RDS CAL's but they're called Windows Server Non-specific edition, version 2019, Per User CAL's (my recommendation anyway). If I understand you are you saying you have 120 users and they all have a pi and connect at the same time? Or just a few pi's but have a total of 120 users?

Either way you need to use RD Licencing Manager to issue the licenses, it can be installed on your domain controller without an issue. You then add your licenses into manager and your pooled session collection server will do the rest.

You will need to consider additional VDI Licensing if you wish to connect to 'personal sessions' (Windows 10 vm's).

Just when resourcing the server this website has some useful info, https://support.accops.com/support/solu ... op-server-

Wtware supports some smart cards and I've had some working for printing releases, just requires some unique config which I believe are on their website.

[aka]

Second doubt: Some of the raspberry's are for medical doctors so they will need to use their card to make medical prescriptions. Is this possible? And how?

https://wtware.com/docs5/smartcard.html

[k0rmok]

Hi K0rmok,
You're on the right path, you will need RDS CAL's but they're called Windows Server Non-specific edition, version 2019, Per User CAL's (my recommendation anyway). If I understand you are you saying you have 120 users and they all have a pi and connect at the same time? Or just a few pi's but have a total of 120 users?

We are talking about around 100 Pi's for a universe of 300 users so that's why im talking about device cals instead of user cals.

Either way you need to use RD Licencing Manager to issue the licenses, it can be installed on your domain controller without an issue. You then add your licenses into manager and your pooled session collection server will do the rest.

im encountering some problems that i think it can be easily solved. I have already installed wtware on the VM with Windows server but i cannot make the step "create sd card" because it's a VM. What's the bypass for this situation? I wanted to test the Pi's to make sure the connections and resources will be stable enough for working

You will need to consider additional VDI Licensing if you wish to connect to 'personal sessions' (Windows 10 vm's).

we are only planning on users to have their "personal sessions" on windows server 2016 sessions. That's why we want to create a VM just for this purpose.

[akatik]

I have already installed wtware on the VM with Windows server but i cannot make the step "create sd card" because it's a VM. What's the bypass for this situation?

Install WTware on physical machine. Any computer with Windows 7 or newer. Do not install services (DHCP/TFTP/HTTP), remove checkboxes in installer.

I wanted to test the Pi's to make sure the connections and resources will be stable enough for working

Good idea.

[Cobra_Phil]

k0rmok,
If you have more users than devices, you will want Device Cals.
If you have more devices than users, you will want User Cals.
This will make licensing cheaper.
The licenses will be installed through the RD(Remote Desktop) Licensing Manager.
You can install WTWare on a laptop or other computer to create the SD Card. On a system your size you probably should have a DHCP server running anyway, so you don't need the built-in DHCP or TFTP servers.
The RFID cards we are using are Mifare 1K Classics. Other type of cards and even encrypted USB drives are other login options.
The RFID readers we are using are ACR122U-A9. They plug directly into the Pi and are supported by WTWare.
The software we are using to accept the logins and register the RFID cards is called Rohos Logon Key. There is a trial available for testing.
If can be set for single authentication - user walks up, swipes card and is logged into their account.
Or it can be setup for double authentication - user walks up, swipes card, types in PIN and then is logged in.
We have about 25 Pi's running in this manner. Works very nice.
User have access to Office 2019, internet, printers, etc.
It can also be setup to automatically logout a user once their card is removed, or they can manually logout.
Took some time to figure all of this out. Good Luck.

[kormok]

Hello,
got one more question about this project.
At the moment we already have implemented RDS. We have 3 virtual machines:
- The gateway
- The broker
- a Workstation template (windows server 2016) that will be the session template for each user based on gpo's.

where should i install wtware to make the raspberry work and get the sessions?

[akatik]

Install wtware on your own laptop. Run WTware Configurator. Press button with SD and raspberry in top left corner. Write microSD. Insert microSD into Raspberry. Boot Raspberry. Write "server=192.168.1.1" into wtware config with the broker IP instead of 192.168.1.1. You'll get the session.

[k0rmok]

I've tried already pointing to the broker and now i've tested pointing to the workstation template and always got the same error:
Server xxx.xxx.xxx.xxx, port 3391: connecting rejected.
Make sure that terminal service works on this server.
Try to connect using mstsc.exe

Any idea what can be the problem?

[akatik]

Ethernet cable is not plugged into Raspberry?

[Kormok]

It is plugged.

[aka]

https://wtware.com/logs.html

[akatik]

DHCP server at 192.168.151.200 sends settings for this terminal:

IP 192.168.153.5
Network mask 255.255.255.0
Default gateway 192.168.151.254

Default gateway is not within terminal network. It is incorrect. Terminal can not send packets through gateway if gateway is not in the same network. Right default gateway should be 192.168.153.x

[k0rmok]

Thank you.
I've changed the gateway on the dhcp server and now i can see the login screen.

when i try to connect i get another error here's the info on the log:

errorinfo 0x00000410
ERRINFO_CB_CONNECTION_ERROR_INVALID_SETTINGS: The settings contained in the routingtoken field of the x.224 connection Request PDU (section 2.2.1.1) cannot be validated.
Receive Disconnect Provider Ultimatum.
Connection rejected by server.
ERRINFO_CB_CONNECTION_ERROR_INVALID_SETTINGS (0x00000410)
For more details see "Event View" on the server.
[ gm] [ 21.680377] Final message: Connection rejected by server.

[aka]

https://wtware.com/logs.html