Ultra Thin Client Technology
Absolute security, no BIOS, no OS, no file management

European Thin Client manufacturer

FAQ - Use in the TSE - RDS Environment

Most Frequently Asked Questions about Installing AXEL Thin Clients in the RDP Environment

AXEL Thin Clients M70 and M75 Can't Be Connected to a Server 2012R2

AXEL Thin Clients models M70 and M75 are certified for servers 2012R2. If the connection is refused, please check the following:

  1. Firmware must be up to date
    If not, download the last firmware revision from our web site.
  2. On the server side, NLA must be 'not mandatory'
    By default a server 2012R2 requires the NLA support (Network Level Authentication). With NLA, the RDP protocol is included in a SSL tunnel. But no SSL client is embedded with AXEL Thin Clients models M70/M75. Then, the requirement of NLA must be disabled.
    This is done with the 'Server Manager' (go to RDS collection settings)

Connection Error: “Invalid Client”

The error message "Invalid Client “ indicates a licensing issue and is caused by the scenarios below:

  1. All current CAL’s are being used: more CALS must be bought.
  2. The terminal has previously been used on a different server and has an old license token which is not compatible with the new server. The solution is to delete "license token" in the terminal’s store. (Enter the thin client set-up and go to [Configuration]-[Advanced]-[Local Store]).
  3. The Windows server refuses to convert the temporary license to a standard license. In which case it is necessary to update the server:
    - For Windows 2003, install Service Pack 1
    - For Windows 2000, see this article http://support.microsoft.com/default.aspx?scid=kb;en-us;827355. 

Connection Error: The server encryption level is not correct

This error is displayed because the encryption level of the thin client session is lower than the minimum required by the Microsoft server. Either the encryption level on the thin client side should be increased or the server’s level reduced.

Note : For the encryption setting of the terminal, enter the set-up and select the [Configuration]-[Sessions]-[Session X]-[Additional Parameters].

Connection to Windows (RemoteApp or TSE/RDS session)?

Two types of connection are available:

  • Individual session: This is a dedicated connection to a server, a broker or a farm of servers. The target resource can be either an application or more often a desktop.
  • RemoteApp Desktop: This feature allows a user, after authentication, to see the icons of his published applications on the terminal’s desktop. Launching a published application is simply done by clicking the associated icon whereupon an RDP session is automatically established to the resource.

For configuration only the name or the IP address of the server (http or https), needs to be entered. (No need of the path to 'rdweb').

Note: These two types of connection can be configured and used at the same time with the same AXEL Thin Client.

Internal Error: 'This may be due to an expired password'

This message can be displayed when connecting an RDP session.

Explaination:
The Microsoft password expiry mechanism does not work when the terminal and the server have negotiated to use NLA, so when the user's password has expired the login will fail.

Solution:
NLA (SSL tunnel with an NTLM authentication) is a security layer negotiated by both the RDP server and the AXEL Thin Client.
To allow the expiry mechanism to operate, NLA must be disabled:

  • On the server side: disable the 'policy' where the Network Level Authentication is required for RDP sessions
  • On the thin client side: enter the set-up and in the 'Additional Parameters' of the RDP session profile, set the 'Default Security Level' to 'RDP'.

For the next RDP connection, the 'Microsoft logon screen' will let the user's password to be changed.

Is the Thin Client Compatible with VDI?

Usually a RDS session connects to a physical or virtual Windows terminal server (ie 2003, 2008, 2012, 2016, 2019 or 2022) and provides a session-based connection. This allows multiple thin clients to connect to a single server.

With VDI, the terminal connects to a virtual machine via an RDP connection, typically a virtual Windows7 or 8 pc.

For a VDI installation the thin client must use the RemoteApp Desktop to allow the user to authenticate. After successful authentication icons for the virtual machine(s) are displayed on the local AXEL desktop.

After clicking in the icon a connection is established to the VM, or possibly a virtual machine is be created “on the fly”, depending on the VDI configuration.

The AXEL Thin Clients models M80 and M85 support this method of operation

Note: A simple RDP session can manually be configured to point a session on a virtual machine/PC – but this would not take benefit of the dynamic nature of a true VDI deployment

Local Logon vs Windows Logon

When an RDS/TSE session is established, a local logon box may be displayed (instead of the usual Windows graphical logon).
Is it possible to remove this local logon box to return to the Windows logon?

But before doing so certain factors should be taken in account.
The local logon is displayed in the following cases :

  • The ‘local authentication’ of the TSE/RDS session is enabled (to avoid multiple authentications due to broker usage – See article P6 of this section)
  • A gateway is set-up
  • The NLA security layer is enabled (Default for Windows 2012/2016)

The local logon can be disabled only for the last case. Disabling NLA at both the thin client and the server levels will allow the Windows logon to be displayed.

Note: if NLA is disabled "User Profile Disks (UDP) do not operate.

At the server level:
Run the policy editor and select :
Computer ConfigurationPoliciesAdministrative TemplatesWindows ComponentsRemote Desktop ServicesRemote Desktop Session HostSecurity
Disable the policy
Require user authentication for remote connections by using Network Level Authentication.

At the thin client level:
Enter the set-up and go to [Configuration]-[Sessions]-[Session 1]-[Additional Parameters].
Set 'Default Security Layer' to 'RDP'.

Multiple Authentications are Requested Before Being Able to Login

Problem:
The user is requested to authenticate themselves multiple times before being able to login

Explanation:
As part of the 'Load balancing' mechanism the RDP connection can be passed around several servers, each one requiring the user to login.

Solution:
Enable the “Local Authentication” setting in the terminals configuration. This will allow the terminal to temporarily cache the credentials and automatically offer them when requested.

Server 2012/2012R2, Keyboard Indicator LEDs may be Reversed

With an RDP session on server 2012/2012R2, the keyboard indicator LEDs (Caps Lock or Num Lock) may be reversed.
For example, Caps Lock LED is lighted on, but data input is in lowercase.

Explanation:
This is due to the RDP server and can be experienced with any RDP client (PC or AXEL Thin Client). Unfortunately Microsoft doesn’t plan to release a fix for this issue.

Solution:
The workaround is a special hot-key available for AXEL Thin Clients: <Ctrl><Alt><L>.
This allows the RDP server to be synchronized with the thin client keyboard indicator LEDs
Note: This hot-key is available from 1236d.16011 firmware.

The TSE/RDS Session doesn't Connect

The possible cases are:

  1. The screen stays on message 'Connecting' for 20 seconds, then the session closes.
    This means that the IP address of the Microsoft server is unreachable. Check the IP address or routing tables of the thin client. (Try to ping the server from the terminal).
  2. RDS/TSE session closes immediately.
    Possibly the TCP port (default 3389) is not accessible from the Microsoft server side (due to firewall problem or RDS not configured properly).

If SSL/TLS (with or without NLA) is activated potential problems may be experienced:

  • AXEL Thin Client models M70 and M75: Do not support this security layer. It must be disabled on the server side.
  • AXEL Thin Client models M80 and M85: Update to latest firmware (Firmware Download).

TSE/RDS License

AXEL Thin Clients used with TSE/RDS require TSE CAL licenses.

If the licensing mode (on server side) is 'per user' the thin client is inert and inactive regarding the licensing mechanisms.

If the licensing mode is 'per device' a license token is sent to the thin client on the first login. This token must be presented by the thin client for subsequent connections. The information box (<Ctrl><Alt><i>) indicates whether a token has been received by the thin client.

In case of problems, you can delete this token (In AXEL Thin Client's Setup, go to [Configuration]-[Advanced]-[Local Store]).

TSE/RDS Session Information

Pressing <Ctrl><Alt><i> provides a dialog box that displays information about the current connection : encryption, possible gateway, license token, resolution, number of colors, list of redirected resources, compression....

What is the RDP Version of AXEL Thin Clients?

The AXEL RDP client can't be directly compared with the generic Microsoft client. (RDP Client version 5, 6, 7 or 8).

AXEL license RDP under license from Microsoft and re-write in low level machine code. We select the functions and features that are applicable to our product and thin clients, so we cannot claim to be fully compatible with any specific versions of RDP, but we endeavor to keep the client fully up to date. For example our current client (March 2014) supports the key feature of W2012/W8 (NLA, USB redirection, RemoteFX etc)

 

What Versions of Windows are Supported?

This on the thin client model :

  • AXEL Thin Client models M80, M85, M90, M95, G10 and G15: NT4 TSE to 2022 (Multipoint included)
  • AXEL Thin Client models M80WMS: Multipoint
  • AXEL Thin Client models M70 and M75: NT4 TSE to 2012R2 (Multipoint included)
  • AXEL Thin Client model M65: NT4 TSE to 2003 SP1

Security :
Layer security (RDP standard encryption low, medium and high) is supported by all models.
Connection via SSL/TLS and NLA is supported by models M80, 80WMS, M85, M90, M95, G10 and G15.

RemoteApp :
RemoteApp is supported on M80, M85, M90, M95, G10 and G15 with a server 2008r2 up to server 2022.

French headquarter :
 Z.A. Courtaboeuf - 14 Avenue du Québec - Bat KENTIA - BP 728 - 91962 Les ULIS Cedex
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram