• ×
    Information
    Need Windows 11 help?
    Check documents on compatibility, FAQs, upgrade information and available fixes.
    Windows 11 Support Center.
  • post a message
  • ×
    Information
    Need Windows 11 help?
    Check documents on compatibility, FAQs, upgrade information and available fixes.
    Windows 11 Support Center.
  • post a message
Guidelines
Are you having HotKey issues? Click here for tips and tricks.
Check out our WINDOWS 11 Support Center info about: OPTIMIZATION, KNOWN ISSUES, FAQs, VIDEOS AND MORE.
Locked

‎10-30-2019 03:46 AM

HP Recommended
Product: T630
Operating System: Microsoft Windows 10 IOT

I've been tasked with managing external Thin Client's that can communicate with a HPDM Server in our DMZ.

The idea would be that the TC would be locked in to the HP Kiosk mode with a preconfigured connection to our Citrix storefront page and the ability to connect to a wireless network.

 

My Security dept have a few questions, just hoping Chen or someone in the community in a similar setup can help with a few of them:

 

1. Is there a best practice closing ports on the Thin Client itself to minimize risk?

2. What is the best practice patching TC's sat outside the organisation? Do you turn on automatic updates and ensure the user initiates any updates or do you send them down via HPDM, if the latter, is there a good way of doing it?

3. Authentication, what is stopping someone purchasing a Thin Client that knows the address of our ecteranl facing gateway and connecting? Is there a way to prevent that?

 

Thanks in advance.

1 ACCEPTED SOLUTION

Accepted Solutions

‎10-30-2019 08:15 AM

HP Recommended

Hi Luke,

 

I think the priority #1 should be to make sure the wireless connection is secure enough.

 

From HPDM perspective, if you look at the admin guide and search for "DMZ", you will see those ports that DM Agent required for communication. Basically open those ports and block rest of the ports will somehow help on this.

 

Regarding patching the TC - I would recommend to patching through HPDM. If you go to the HPDM Update Center from HPDM Console, the certified windows update will be listed there. Simply click one of them to generate a HPDM template, you can define rule task to patch those update, or send it directly to a group of your thin client.

 

For the third question - from what I understand, as of today if a Thin Client knows the address of gateway and have access to the network, there is nothing HPDM can do to prevent the connection. I guess I can pass the feature request to product team to see if they can enhance this feature in some way.

I am an HPI Employee.
My opinions are my own, and do not express those of HPI.
**Click the White Thumbs Up Button on the right to say Thanks**

View solution in original post

Was this reply helpful? Yes No
1 REPLY 1

‎10-30-2019 08:15 AM

HP Recommended

Hi Luke,

 

I think the priority #1 should be to make sure the wireless connection is secure enough.

 

From HPDM perspective, if you look at the admin guide and search for "DMZ", you will see those ports that DM Agent required for communication. Basically open those ports and block rest of the ports will somehow help on this.

 

Regarding patching the TC - I would recommend to patching through HPDM. If you go to the HPDM Update Center from HPDM Console, the certified windows update will be listed there. Simply click one of them to generate a HPDM template, you can define rule task to patch those update, or send it directly to a group of your thin client.

 

For the third question - from what I understand, as of today if a Thin Client knows the address of gateway and have access to the network, there is nothing HPDM can do to prevent the connection. I guess I can pass the feature request to product team to see if they can enhance this feature in some way.

I am an HPI Employee.
My opinions are my own, and do not express those of HPI.
**Click the White Thumbs Up Button on the right to say Thanks**
Was this reply helpful? Yes No
Warning
Be alert for scammers posting fake support phone numbers and/or email addresses on the community.
If you think you have received a fake HP Support message, please report it to us by clicking on "Flag Post".
† The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.
Didn't find what you were looking for? Ask the community
† The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the <a href="https://www8.hp.com/us/en/terms-of-use.html" class="udrlinesmall">Terms of Use</a> and <a href="/t5/custom/page/page-id/hp.rulespage" class="udrlinesmall"> Rules of Participation</a>.