9 Posts
0
4330
Wyse 3040 Clients Lose Connection to WMS
We are a new adopter of WMS and Wyse 3040 thin clients, and we are having some problems keeping the devices registered with WMS. They do just fine at first, but after some time they seem to drop off the network and become unmanageable. They also will show a (red) circle in WMS meaning it's registered but not communicating. The devices still work to a degree, but they just become unmanageable and unreachable in the management interface. The only way to get the back is to unregister, delete them, then re-register them and assign the to the configuration group. I don't think a firewall is the problem, because they work initially. It almost seems like a timeout of power saving issue.
Any help would be appreciated,
ThinsOS 9X. The server is Version: WMS 3.5.2 16.
buffalobound
3 Apprentice
3 Apprentice
•
712 Posts
0
May 11th, 2022 09:00
Please confirm 2 things:
1) WMS, portal administration, Setup. Make sure "Server Certificate validation..." is NOT checked
2) On the device, Central Configuration, Advanced, "Enable CA Validation" make sure that is NOT checked
Unless you are providing an SSL CErtificate to the device that can be validated, then you do not want this turned on. My gut tells me one of these, if not both are enabled, causing the device to lose communication.
buffalobound
3 Apprentice
3 Apprentice
•
712 Posts
0
May 2nd, 2022 11:00
Make sure you are testing with ThinOS 9.1.6108
Does a reboot allow them to communicate again?
Port 443 and 1883 need to be open to the WMS server.
What messages are you seeing in the event log on the device when it fails to communicate?
Make sure you do not have something like this set in the WMS policy for that group
techy_pris
9 Posts
0
May 2nd, 2022 12:00
The ThinOS version is (9.1.5067)
Rebooting does not bring them back. The only way to get them back is to unregister them, then delete them, reboot them, then add them back to group.
The ports your specified are open across the board.
My ThinOS is not what you said to be sure to be one. I suppose I can try to download and push out the version you specified.
techy_pris
9 Posts
0
May 6th, 2022 09:00
Tried all of your suggestions, but no go. The seem to work for a while until you make a policy change or something, but then they lose their status and compliance turns grey. Once it's grey, you are limited on what you can manage on the device. VNC seems to work, but restarting, updating, or getting any accurate information on the unit doesn't work. I wonder if WMS is actually ready to be used in a corporate network. : /
buffalobound
3 Apprentice
3 Apprentice
•
712 Posts
0
May 7th, 2022 05:00
Please share screenshots of the following from the device.
Please share the following From the WMS console
techy_pris
9 Posts
0
May 9th, 2022 05:00
I don't seen anything in the event log on the device or the WMS server to indicate communication with WMS.
WMS Advanced setting is not on. But when I turn it on there is not "Unmask"
option. I'm not sure we need to have "Advanced turned on"
There are not "URL's" at the bottom of the Portal Administration page.
See attachments
buffalobound
3 Apprentice
3 Apprentice
•
712 Posts
0
May 9th, 2022 07:00
Your attachments did not post. Please try to post them again, or send them to me directly.
buffalobound
3 Apprentice
3 Apprentice
•
712 Posts
0
May 11th, 2022 06:00
The images are now viewable in the post, not sure why they were not originally.
If you click on the advanced box you can see what the WMS server name is being used.
What I suspect, and what I have seen in the past is that the WMS server is "Bound" to a name that the client cant resolve, after it checks in.
As an example, lets say your WMS Server is "WMS.company.com" which the device is able to resolve using DNS and able to register with initially. Sometimes WMS is "bound" in the database to listen on the Netbios name "WMS" instead of the FQDN "WMS.company.com". When the device registers, the WMS Server tells the device to communicate using the short name "NetBIOS" instead of the long name "FQDN". If the device is not in the same DNS name suffix as the WMS server, then the name lookup will fail and the device will no longer be able to communicate with the WMS Server.
The paid version (WMS Pro) provides a GUI for seeing and changing that name in the database if needed. The free version can be changed as well, but it will need to be changed manually using database tools.
In order to diagnose that this is the case:
1) Using the advanced setting above, what does the thin client "Think" it should be communicating2) with?
2) Using the device, troubleshooting, Ping, can you ping the name in the WMS Setting? Is the name the Netbios, or the FQDN?
3) The event log on the thin client should show errors, or on the thin client, System information tab, About tab, should show a section for WMS and MQTT Status.
techy_pris
9 Posts
0
May 11th, 2022 07:00
techy_pris
9 Posts
0
May 11th, 2022 07:00
Thanks so much for your help.
I have determined the thin clients can resolve both the single NETBIOS name and the FQDN with no problem. So they are able to communicate with the proper WMS server. I also did a telnet to the WMS server on port 1883 and that is also successful using NETBIOS and FQDN.
There are some self signed certificate error in the thin client log files, but at this point I don't think it's related but not absolutely sure. Here is a snip from the events.
buffalobound
3 Apprentice
3 Apprentice
•
712 Posts
0
May 11th, 2022 07:00
On this same advanced screen on the thin client, There is a check box for "Validate Certificate" or Certificate validation...
Is that checked or unchecked? The image above isnt resolving yet, so if it is there I am sorry I cant see it yet. Weird forum issue.
techy_pris
9 Posts
0
May 12th, 2022 11:00
Turns out you were right about the CA validation. Once I unchecked that on the clients side everything starts working perfectly. I enabled the advanced WMS configuration on the server and turned off CA validation, but it appears once the clients have that option already enabled you manually have to turn it off in each client. Now the question is; Is the data encrypted between the server and clients?
buffalobound
3 Apprentice
3 Apprentice
•
712 Posts
0
May 12th, 2022 18:00
I am glad you found a solution. Yes that setting is not on by default.
the underlying connection is secure, it is using HTTPS. That setting when enabled tells the device that it MUST validate the certificate to allow connection. Since it is a self signed certificate, it can only validate it, if you put the certificate on the device, then it can validate it.
if you want to do Enable this advanced security feature (most don’t) then you would want to purchase a certificate from a public CA from a provider that the root certificate is present on the device already, so it can be validated. The list of providers is in the admin guide.
I hope this helps clear any confusion.
techy_pris
9 Posts
0
May 13th, 2022 03:00
You have been a tremendous help, I can't thank you enough for taking the time to guide me with advice. Good to know there is some decent people supporting this app.
Regards
Darwin
techy_pris
9 Posts
0
May 13th, 2022 03:00
Yeah, we are a corporate entity and will probably wind up purchasing a subscription depending on the cost. We have around 100 users so hopefully it won't be too bad.
One more thing>
The "Last User" field in the devices section shows "N/A", whereas is should show the current or last user that logged in. I noticed it does show the user in the devices that are not registered that are sitting in the default container, but when you move them into a managed group that goes to "N/A". I found one thread where someone had that issue, but it seemed unrelated. I have a feeling it may have to do with using Citrix, but not really sure. We can probably live without it, but it would be nice to have the user field populated.
Thanks again,