installing and supporting idx flowcast™ web desktops alan beckwith and pete chunis, flowcast...

Installing and Supporting IDX Flowcast™ Web DesktopsAlan Beckwith and Pete Chunis, Flowcast Development

5 August 2005Copyright ©2005 IDX Systems Corporation. CONFIDENTIAL AND PROPRIETARY PROPERTY OF IDX. USE AND DISTRIBUTION REQUIRES PERMISSION OF IDX.2

No-touch Deployment

• IDX Flowcast™ goal is no-touch deployment for user

workstations End user should be able to start using IDX Flowcast™ Web Baseline

and Advanced Web without doing anything outside their daily routine

Vendor should support multiple methods to meet this goal

• Early web applications collided with tidal wave of

desktop security concerns


Secure Desktop

• Windows 2000 and Windows XP Pro offer robust

security to prevent unauthorized modification of the

desktop environment.

• Desktops configured so end-users cannot install

software are “locked-down”

• Not possible with Windows 98 or Me


IDX Flowcast™ Technology

IDX Flowcast™ uses ActiveX controls on the desktop

• ActiveX controls provide advanced features Pure server-based applications have scaling issues

Compiled functions deployed to workstation for scalability

Distributed communications – workstation to Cache server

• ActiveX control is a DLL wrapped nicely Downloaded from web server in .cab package

Uses Windows Registry to manage access and control

Internet Explorer invokes after download


The Challenge

Locked-Down desktop provides a challenge Users without local Administrative Privileges cannot

update registered components even when downloaded

from server

When an organization determines how to manage their

desktops other products and network design must be

considered

Decisions made at enterprise rather than product level


Additional Challenges

• User desktops frequently managed by different groups within

your organization Different people, application mix, policies, and tools

Desktop Support may not be as close to IDX Flowcast™ Services

Different PC images make testing difficult

IDX Flowcast™ used differently among groups

• Scale of deployment can be very large


Ongoing Change

All the pieces are undergoing rapid change Windows: security fixes, new features

IDX Flowcast™ new features

• Task Manager

• Web integration

We must manage the changes!


Solutions

• Push technology Mature tools to deliver components

Familiar to those supporting other Windows apps

• Microsoft Active Directory Microsoft’s strategic offering for desktop management

Server 2003 is much improved over AD 2000

recommended by IDX®

IDX® recommends AD and supports both solutions


Active Directory (AD)

Active

Directory

Server

System Manager defines Group Policies to determine components and settings for a machine/group

• Server and desktop negotiate missing pieces during AD login - then download and install

• Update packages delivered as .MSI files

• Works well with Win 2000 and Win XP

• Microsoft recommended/supported solution

• Support for .NET components

• Designed to work when desktop is locked down

Update Package(s)

with MSI files


Push

IDX Flowcast™ client is standard, well-behaved Windows application

Sneakernet NT Login scripts – coarse control via domain

login End user must be able to install applications – local Admin

rights

3rd party push tools Many alternatives ZENworks, LANDesk, SMS, Altiris, etc. Various levels of integration and control


Push Technology

Push Server

• Requires privileged client

• Push occurs after OS boot - installation may require another restart

• “Snapshot”: Packages can be built on a prototype desktop, changes captured and just the delta pushed to end users (several Push tools support this)

• Works best when all desktops are similar

• Oriented towards files - not settings (IE)

• Relies on 3rd party tools

Prototype

Desktop

Update Kit

Change Package


Desktop Updates

.msi files: use with Active Directory Delivered to IDX Web Framework server \WebClientFiles Normally copied to your Active Directory controller See step-by-step document to use these files with AD

Desktop Components install kit: to be pushed Install kit can be Installed or UnInstalled non-interactively using

command-line switches; see Readme for more information Snapshots possible just as with any Windows application Use with your preferred Push tool


Desktop Management

Presume locked down desktops IDX Flowcast™ will help you manage your end-user

workstations by providing several solutions Kits include all components requiring local administrative

privileges for install – excluding OS components

AD design anticipates your needs Designed to support large numbers of desktops over widely

distributed networks Designed-in robustness, scalability and fault-tolerance Flexible to support varied network topologies


Release Management

IDX Flowcast™ policy is to preserve backwards compatibility of new client whenever possible

We inform customers of compatibility issues with any release Major changes such as recent Microsoft JVM issue may

prevent compatibility

What if desktop with old components connects to an updated server?

Login triggers new component download; if download/install not allowed IDX Flowcast™ does not start

Data lives on Cache database server – cannot be touched


Upgrades

IDX Flowcast™ upgrades Built on new versions of enabling tools – IDX Web

Framework extensive project planning All deliverables available upon General Release

Integrated customers IDX Flowcast™, Imagecast™, Carecast™, Allscripts

coordinating product releases to minimize impact on joint customers

Additional coordination still required during upgrade projects


Terminal Services/Citrix

IDX Flowcast™ customers use Terminal Services for some or all their users

With Citrix Metaframe in many cases

Concerns One version of installed applications on any server Cached content must be reloaded if purged roaming profiles across multiple TS servers ref: MS KB

243535


Managing IE Security

Internet Explorer zones offer levels of security IDX Flowcast™ designed to default settings in Trusted

sites zone “Trusted Sites” zone allows different security for IDX Flowcast™ than

for your vanilla Local intranet or Internet zones

Each end-user PC must be configured correctly Active Directory policies Internet Explorer Administration Kit - IEAK

Browser security document included with Desktop install kit


Fully Qualified DNS names

For example liveserver.bigu.edu Provides unambiguous name resolution across enterprise Some load balancers have required Fully Qualified names If DNS is not working, fix DNS, or Use IP addresses – NOT simple names

Most important when network is not homogeneous Inpatient/Outpatient Remote locations Work-at-home staff

url for end users to access web serverWeb Framework: System Connections define path

desktops see to Cache and gateway servers


Trusted Sites Zone

Explicit list of addresses FQ, Simple, and IP names must ALL be listed if used, e.g. liveweb.bigu.edu, liveweb, 10.18.11.155 testweb.bigu.edu, testweb, 10.18.11.165 Interaction with .Net CLR configuration

Each Profile on desktop must be configured

Security may be fine-tuned

Managed by policies, IEAK, registry settings

Local intranet and Internet zones available for other campus-wide uses


Flowcast™ Support

Contact IDX Flowcast™ Support for the latest on using IDX® products with Microsoft hotfixes

More coming to Knowledge Center, Customer Web IDX® product groups test patches Monthly MS Security bulletins

You must decide which patches to deploy and when, based on your own security vulnerabilities

Test first!


Install Kit Contents

Desktop Components Installation Kit Includes IDX Web Framework, Flowcast™ Web

Baseline, Advanced Web, ETM and EDM applications Microsoft CLR (.NET) 1.1, SP1 NOT included

required for Framework Administrators with 3.0 and

ALL users with .Net Advanced Web and with 4.0 Sun Java Runtime Environment - EDM users only Detailed list of files and versions included Designed to be driven non-interactively: Install and

UnInstall VBscript exposes everything


References

IDX® supplied documents

Desktop Components Install kit folder Desktop Components Readme.htm Using Active Directory to Install IDX client-side

application components Browser Security

Flowcast™ Knowledge Center Microsoft Windows Patch Test Standard Patches tested and approved (coming)

describes any known issues


References – Third Party

Microsoft - Active Directory / Group Policieshttp://www.microsoft.com/technet/prodtechnol/ad/default.asp

3rd Party Tools - preparing Push Technologyhttp://www.novell.com/products/zenworks/

http://www.microsoft.com/smsmgmt/

http://www.altiris.com/products/clientmgmt

http://www.microsoft.com/technet/prodtechnol/ad/default.asp

http://www.novell.com/products/zenworks/

http://www.microsoft.com/smsmgmt/

http://www.altiris.com/products/clientmgmt


Web Desktop Management

installing and supporting idx flowcast™ web desktops alan beckwith and pete chunis, flowcast...

Documents

permission of idx

idx systems corporation

proprietary property

idx flowcast web baseline

flowcast developmentcopyright

web server

advanced web

desktop activex controls