This post has already been read 8240 times!
I had a slight issue whereby the guys overseas wanted to deploy a Kiosk Mode Internet Terminal but they wanted to do this on a thin client. Initially I did not give this much thought and just gave it the old “yep, course we can do that!!” but then as the time neared and the colleagues start to travel for the install I started to give it a little more thought.
The problem and pre-reqs were this:
- Locked down thin client to sit in a remote office
- NO Domain access for the thin client
- ALL web traffic to come through the proxy server
With this in mind there are some obvious challenges here. The main one being “Without adding a bypass for the proxy server how can you authenticate when not a member of the domain?”
Starting with the build. I created a thin client build that was locked down tight. This does not have to be imbedded Windows or even Linux. The ONLY pre-req with this is that it needs to have network connectivity to your XenApp farm and it must have a Citrix Receiver on it and have the ability to run ica files.
Once the build is done you have to set up a Kiosk Mode internet icon. This can be any browser and can be configured how you like but for what it is worth I would manage all the settings via Gpo and lock the browser down tight. Remove the ability to save passwords and URL history and any other settings you feel relevant for a kiosk mode device.
Once you have a build and before you lock the image for deployment create an ica file on the local device and set it to auto run upon the machine start up. Set the contents of the ica file to the below. (note this is a basic setup, if you want more advanced configuration options you should look up ica file options with your favourite browser!)
TcpBrowserAddress=(address of your controllers)
Now, I know that this is a clear text password BUT the device should be locked down enough that the user cannot get to the C Drive and view the contents of this file. Also it may be work setting up “Log On To” access in the AD for the user account you use. This would lock it down to specific devices.
Hope this helps, please share and comment if you find this useful.