Manualshelf

Administrator Guide

ManualsBrandsDell ManualsConverged InfrastructureWyse 3020 Thin / Zero Client
171172173174175176177178179180
Security Changes
A new global security policy has been dened for ThinOS Lite and this policy is applied to all secure connections (https/SSL connections)
with a few exceptions.
Purpose – To improve the security level by default and add the global conguration. This security policy integrates security setting for each
application.
SecurityPolicy={full, warning (default)|Low}
SecuredNetworkProtocol={yes | no (default)}
TLSMinVersion={1(default),2,3}
TLSMaxVesion={1,2,3 (default)}
The new INI parameter is independent and does not have any dependencies with other parameters. SecurityLevel|
SecureProtocol from the Privilege segment is deleted.
ThinOS Lite supports SSL from TLSMinVersion onwards. TLSMaxVersion is the latest version of SSL supported by ThinOS Lite.
If no value is set, then TLSMinVersion is set to TLS1.0 by default, and TLSMaxVersion is set to TLS1.2 by default.
The values 1, 2, 3 refers to TLS1.0,TLS1.1,TLS1.2 respectively.
All applications running on the default SSL security mode follows the global mode. In the global mode, the default value is Warning. The
aected applications include File Server, WDM, Caradigm, and OneSign. The following are the exceptions:
File Server and WDM in factory reset state: Before loading any INI parameter, the SSL security mode is set to Low, and after loading the
INI parameter, the value is changed to follow the global mode value. For example, the default value is set to Warning, if the value is not
changed by the INI parameter.
System with previous settings (default value is set to Low) follows the global mode after the unit is upgraded. For example, the default
value is set to Warning, if the value is not changed by the INI parameter.
Wyse Management Suite, Citrix broker, and SecureMatrix are always Full.
The following new INI parameters are added to support the changes mentioned:
CaradigmServer=SecurityMode={default,full,warning,none}
OneSignServer=SecurityMode={default,full,warning,none}
FileServer=SecurityMode={default,full,warning,none}
RapportDisable=SecurityMode={default,full,warning,none}
WDMService=SecurityMode={default,full,warning,none}
File Server default protocol is retained as FTP without any setting from WDM/DHCP/INI and always displays the full address with protocol
prex. For example, ftp://.
New rmware/client deploy information is as follows:
In a secured environment, such as le server and WDM using HTTPS, with clients in factory default or factory reset status, Dell
recommends that IT administrator congures the proper le server address in WDM or DHCP, WDM address in DHCP, and uploads all
necessary client certicates to a valid location before turning on the new client or upgrading to the new rmware with DHCP. This
10
Security Changes 171