Thursday, February 17, 2005

Sun's Thin Clients vs Other "Thin Clients"

JustinS posted a comment asking about the difference between a thin client like Sun's new Sun Ray 170 and alternative devices. I specifically mentioned Wyse in a previous story. This is the form factor for their Winterm S30 and their Winterm S50. The S30 runs Windows CE 5.0 while the S50 runs a Linux distro with the 2.6 kernel. In my opinion, these aren't "thin clients" at all, but rather "embedded" devices.

In contrast, the Sun Ray does not run a conventional operating system. It doesn't run embedded Windows, Linux, or Solaris. There is enough logic on the Sun Ray to support a TCP/IP stack and display graphics. That's it. All of the work is done on the Sun Ray Server. With version 3.0, the server can run on Solaris or several Linux distros. I personally plan to run Red Hat or Fedora. You can confirm my claims by reading the Sun Ray Overview .pdf.

You could argue that the Sun Ray is running some sort of operating system, but I would counter by saying it's much more limited than Windows CE or Linux. Simple = more secure. Microsoft publishes security patches and service packs for Windows CE and Windows XP Embedded. Sun only publishes patches for its Sun Ray Server software. With a Wyse terminal, you may find yourself needing to patch their so-called "thin client." Patching dozens, hundreds, or thousands of "thin clients" sounds the same as patching general-purpose PCs. With the Sun Ray, you let a real thin client sit on a user's desk while you only patch the Sun Ray server.

I'm not arguing the Sun Ray is the answer to everyone's problems, but I do see it as being several steps towards the right direction.

Update: I just read Network Computing's review of "remote-display servers." These include products like Citrix Metaframe. Unfortunately, NWC mixes the term "server-based computing" with "thin clients" throughout the article. Here's the deal: all of the so-called "thin clients" in this story are PCs running Windows 2000:

"For our performance tests, we set up 30 workstations running client software to connect to each of our five display servers. These workstations were all members of our test Active Directory domain, and each ran Windows 2000 Professional."

These workstations run special clients to connect to centralized servers running applications like Microsoft Office 2003 and so on. So, instead of having to install Office on every PC, you use the copy on the central server. This is a step in the right direction, but I would encourage NWC and others to avoid the term "thin client" when talking about these products and instead focus on the term "remote-display computing." These Windows 2000 desktops aren't thin at all; you still need to patch and secure Windows 2000 on every box.

13 comments:

Tom Hunt said...

As I remember, a Sun Ray server does push some updates to the Sun Ray boxes. It doesn't happen too often. Essentially all of the updates patch the Solaris server itself.

Anonymous said...

...These Windows 2000 desktops aren't thin at all; you still need to patch and secure Windows 2000 on every box.
posted by Richard Bejtlich # 10:41
Hmmm ... "These" may be almost any client, some of which I am using, and did not have to patch that often ...

Richard Bejtlich said...

What is your point, exactly? You still need to run Citrix MetaFrame clients on a general purpose operating system like Windows, Linux, etc. If you're running the Citrix client on a full-fledged workstations OS, you still need to configure, patch, and maintain the workstation OS. That's not a real "thin client" like the Sun Ray.

Anonymous said...

1. You mentioned only Windows 2000 as clients, which is from the category of OS-es notorious for patching needs
2. Having said the above, I wanted to complete the information, stating that there are clients which need less patching, or could be treated differently. For example, I have DOS ICA clients, and I am "toying" aroung with the idea of "upgrading" them to stripped down versions of Linux live CDs, with ICA installed - this way, the number of needed patches decreases, and - when critical - I just have to deal with the logistics of distributing new CDs, vs. "touching" systems.

Hope this clarifies my point ...

Richard Bejtlich said...

Yes, thank you. The idea of running a stripped-down liveCD with your Citrix client is intriguing.

Daniel Ward said...

Please correct me if I am wrong - I am no expert - this is only my understanding.

I work with SunRay thin clients - and it is a love/hate relationship. I love them because they are so easy to implement - just set them up - BOOM .. done. I hate them because they are part of a turnkey solution and you can't do squat without the SunRay Server software.

If you are only connecting to the server that is running the SunRay Server software then there is no real issue. However, if you want to connect to another X terminal, or connect to Windows / Citrix terminals you are creating more network traffic.

For example - I have a Sun Blade 150 in my office as well as a SunRay 150. To connect from my SunRay to my SunBlade - the SunRay Server communicates with the SunBlade, then sends the data back over the network, back to me, wasting network resources and also SunRay CPU time (since it has to re-encode the Display protocol into its own proprietary one). With a pudgy client, I have the X server running right there - so I can run apps from wherever and it is a direct communication. Furthermore, most have RDP and ICA clients as part of the image so there is even less bandwidth and Server CPU waste. If you can get a recent web browser like Firefox (which the S50 has) then you are really sailing.

The only thing I don't like about the S50 is that right now, it is closed - you cannot put your own image into it. However, I was reading a review site and it indicated that the new Rapport software, to be relased in Q2-Q3 2005, will allow you to use your own images, and also switch between WinCE, Embedded XP, and Linux.

Also, as for the point about having to run around and update every thin client, making it as big of a headache as a PC - no way. Almost every thin client I have seen has management software that allows you to update everything in one shot, over the network - or export a new image to a USB Flash drive, and update it with that.

The three main benefits (from what I can see) to Thin Clients are:
-they are solid state - no moving parts - means a greater MTBF
-external Power Supply (Usually) - solves power related issues.
-less power consumption - often overlooked .. when you have hundreds or thousands of workstations - this makes a HUGE diff.

Richard Bejtlich said...

Hi Daniel,

Thanks for your comments. Can you elaborate -- you mention a "S50". Is this the Wyse Winterm S50?

I see your point about using a "display protocol" within a "display protocol." In other words, it would seem to be more efficient to use your thin client to directly connect to a system that exports X windows, or RDP sessions, or VNC, etc. Having access to the local Xterm or RDP client or VNC client implies running an OS locally on the "thin client," which I prefer to avoid.

I think the traffic issue depends on the way you architect the network. I plan to deploy the Sun Ray clients on their own dedicated network, shared only with the Sun Ray server. The Sun Ray server will be dual-homed to be on the rest of the "corporate network" and will be ablel to connect to the Internet, etc.

Daniel Ward said...

Yes, the Wyse Winterm S50 (www.wyse.com/products/winterm/S50/index.htm)

As for planning the network, you would almost have to dedicate the SunRays to their own "branch" - so to the rest of the network would only see the SunRay server.

What reasons would you avoid running a local OS? I have given thought to this as well - and there really is not enough room in the Thin Client flash memory to use it as a workstation, but there is enough room that you can take advantage of some locally installed apps, that cater to your specific needs (and we all know that everyone's needs are diff). ie. Java, Web Browser, etc.

As for durability - even an embedded OS is solid state.

The school I am working at is using Netware extensively - and Novell is releasing a Linux Netware client ... so the ability for users to log in, and have their personal drives available as mounts within the thin client configuration, and a customized application launcher configured according to ZENWorks for Desktops - is something that may be desireable. With the SunRays - we are locked into the Sparc platform, which will not be able to run the Linux Netware client - even if we could setup eDirectory on Solaris and get personal mounts happening - we are opening our server up to a variety of exploits and security concerns... I would much rather deal with a Thin Client with an embedded OS - one that I can reflash in an instant.

As for security of the Thin Clients - I understand that. Personally I have stopped using Linux and have moved over to OpenBSD just for the security-focused mentality. But what kind of security problems is a Local OS on the thinclient going to cause, verses someone sitting down with a laptop and swapping out the Thin Client's Network connection?

Richard Bejtlich said...

Hi Daniel,

Sun Ray Server 3 is the first version to support Linux. I plan to run either Red Hat EL or Fedora Core on the Sun Ray Server. I used a Solaris-based setup several years ago, and that was a bit constrained application-wise. Now that Linux is supported, there is a much richer desktop environment available.

John said...

Hi Richard,

I'd love to hear about your experiences getting Sun Ray server working on Fedora. I have only been able to get it working on Centos 3.4 so far. I'd love to be able to deploy it on our main desktop server which runs FC4.

john.francis at gmail dot com

Richard Bejtlich said...

John,

I did not set up the software. We had a resident Red Hat expert do it.

Mike Liu said...

any chance of me hooking up with this resident Red Hat expert for some hands-on guide? We are trying to install sunray on fedora 6, and thus far has been running into nothing but trouble.

Thanks in advance!

mike

Anonymous said...

Mike:
We have implemented SunRay clients with both Fedora Core 3 and RedHat Enterprise Linux 4.

Overall, the functionality under Fedora was acceptable, but without audio or USB. It also took one of our sharpest senior engineers several weeks of (very frustrating) hackery to get it to that point. (I suspect that the audio/USB would have worked after more time spent on the task, but the cost savings from using Fedora over RHEL was already lost at that point.)

We later deployed the server on an RHEL4 box. Note, though, that Sun supports only RHEL3 for their out-of-the-box build. The EL4 build took much less work to get functional than the FC3 one, but there were some residual issues with regard to the SunRay server software's desire for specific library versions, etc. Time spent building the EL4 was around 40 hours, I believe.

Overall, if you are planning on a SunRay-on-Linux solution, go with Sun's recommended operating system build so you can get the support. Even at a moderate bill rate, the cost will likely end up much lower to buy their preferred solution than to engineer a "cheaper" operating system to play nice with their software.

Of course, this assessment is highly dependent on the existing experience level you have on hand, and what you plan to get out of the project. If learning the guts of SunRay server software is important or even useful, you'll certainly learn a lot about the system by getting your hands dirty.

Oh - our best resource during both of the projects mentioned above was one of the SunRay forums out there. I do not have the link or site handy, but it was a top result for searches like "SunRay Server Fedora Core 3", etc.

Good luck!