February 25

Droplet Resource Redirection

One cool new aspect of Droplet 2.0 is our redirection features – by default, we take a security posture that all the doors are closed until the System Administrator opens them. As a result, all the redirection features are disabled – in a state of FALSE – in the configuration until they are enabled. The redirection features are not exposed in the UI of the Droplet software and are held in the settings.json.

This is a plain text file in the .json format and is stored in the User Profile in the per-user mode of our software:

C:\Users\%username%\AppData\Roaming\Droplet easily accessed using Start, Run, and shell:AppData

For the Windows system service mode of our software the same file is held in:

C:\ProgramData\Droplet

In a file called settings.json

{

“imagePath”: “C:\\Users\\Michelle Laverick\\Documents\\DCI-M7x32-DSAv2.7-OFFICE2003-USB.droplet”,

“memorySize”: “4G”,

“cpuCoreCount”: 2,

“useAcceleration”: true,

“useFileshare”: false,

“nonPersistentMode”: false,

“usbDevices”: [

“HP Color LaserJet Pro MFP M177fw”

],

“firewall”: {

“defaultRule”: “allow”,

“rules”: []

},

“createDesktopShortcuts”: true,

“enableDomainLogon”: false,

“redirectPrinters”: false,

  “redirectClipboard”: true,

  “redirectDrives”: true,

  “redirectComPorts”: false,

  “redirectPNPDevices”: false,

  “redirectAudio”: true,

}

As you can see, I’ve highlighted the redirection settings of the settings.json in the file – and hopefully, they make sense without too much explanation.

RedirectPrinters looks at the local printers of the Windows 10 or Apple Mac system and makes them available inside the container. By default, we use a compatibility driver which means no printer driver needs to be installed inside the container. This gives zero-printer configuration capability inside the container for printing.

This compatibility driver can be disabled using a Local Security Policy setting (accessed using gpedit) – and this enables customers to install a native printer driver into the container. That can be helpful for specialist multi-function printers where a compatibility driver simply doesn’t offer all the functionality the user expects.

For USB-enabled scanners, we would recommend our USB edition to provide a native scanning application from the hardware vendor. Incidentally, you can see I’m using the USB edition in my settings.json to capture my HP LaserJet printer so I can demo scanning from within the container.  More about our USB support in future posts.

RedirectClipboard. Enables a bi-directional copy and paste functionality between apps running locally in Microsoft Windows, Apple macOS, Chromebook, or Linux and the containerized app. You might think it a bit weird that this is turned off by default – but some customers are concerned about the ease with which data from a legacy application can move from the containerized app to the host device – that seems to be anxiety in remote desktop environments like Microsoft RDSH, Citrix Virtual Apps, VMware Horizon View, and Amazon Workspace/AppStream. For me, it’s the first redirection feature I turn on – life without a clipboard is like having one arm tied behind your back, or like losing your phone and realizing how it’s now actually an extension of your body.

RedirectDrives. As with printer redirection, this picks up the host device drive letters – both local and network mapped drives and exposes them into the container. This makes it very easy for end-users to retrieve data and save files. When used together with RedirectPrinters it means pretty much the ‘core’ aspects of the user environment are handled programmatically – without the need for policies, login scripts, or having to join containers to the domain (which incidentally we do support if needed…).

So you know we do have our own File Synchronization service – which allows for a complete out-of-band, network-less method of transferring data in and out of the container – for customers who for security reasons might block SMB/CIFS traffic or find RedirectDrives exposes too much functionality. Remember that the local policy always wins – so you can easily block or hide specific drives using the gpedit tool.

Finally, whilst RedirectDrives gives excellent performance if you are looking to move large amounts of data out of the container – I would still recommend standard mapped network drives driven by the SMB/CIFS protocol – pound for pound it offers better IOPS. Configuring that is relatively easy, but don’t forget we now support joining the container to the domain to an Active Directory Domain, which means you can leverage existing GPO/Scripts to manage the setup of the environment as well as using your profile management system if you choose to go down that route.

RedirectComPorts. Yes, I know COM/LPT ports who have those these days, right? Well, you’d be surprised in how many engineering environments (Automotive, Aviation, and Healthcare) how many service and support centers still use COM/Serial ports. Some of that stems from the nature of the business – after all a train, plane or expensive medical equipment can have a 10/20/30/40-year life span. In the main most customers plug-in an inexpensive USB-to-Serial dongle (PCI cards do exist for desktop PCs as well). We automatically pick up on these interfaces and redirect them to the container – so if the COM port is COM1 on the physical it will be COM1 in the container.

RedirectPNPDevices. I wouldn’t say this setting doesn’t do anything. But its usefulness has proved to be limited and was originally developed for a customer problem with legacy PCI devices which in the end we found a better way of handling. It’s stayed in the settings.json just in case we face a similar issue in the future. The problem we had was with a customer who had an expensive piece of scanning equipment managed by an ancient Windows PC. The scanner was still good, and it wasn’t economical to replace it for want of a Windows PC. In the end, we used Linux on the physical machine, and use PCI redirection to run the legacy Windows software inside the container. That was more robust, stable, and drove better IOPS.

RedirectAudio. This allows for bidirectional audio – so both playback and record and is in use with some of our healthcare customers where health professionals give audio descriptions of patient scans – which are later typed up as notes for patient records. So, you won’t be using this to watch NetFlix or listen to Spotify, but the quality is more than good enough for the applications where we see it use.

Summary:

As you can see the settings.json hosts a whole series of features and options not exposed in our UI – but by a country mile – it’s the redirection settings that impact the user experiences the most.


Copyright 2021. All rights reserved.

Posted February 25, 2021 by Michelle Laverick in category "Droplet Computing