Current Information About Zero Clients, PCoIP, and Other Secure Endpoints
The tech industry adapts and changes as time goes on, and ClearCube has always maintained the position as a trusted partner to assist our customers with finding the right technology solution.
This page is serving as a quick reference for our client base and partners regarding the changes we see coming over the next 3-5 years.
The Basics of Zero, Thin and Trusted Clients
What is a Zero Client?
A Zero Client is an ultra-secure, stateless endpoint device that receives encrypted pixels, rather than actual data. Because zero clients effectively have no (zero) OS, session memory, or storage, they are the ultimate secure endpoint. Deter viruses and malware and feel protected if the device is lost or stolen. Moreover, IT can lock the device so that end users cannot copy or download data.
Using a zero client with an integrated CAC (common access card) card reader allows multiple employees to share the same device but with different levels of access to the server, cloud, or data center. Because the CAC reader is integrated, you can attain security level access with fewer cords, peripherals, and with a less cluttered desktop.
What is a Zero Client?
A Zero Client is an ultra-secure, stateless endpoint device that receives encrypted pixels, rather than actual data. Because zero clients effectively have no (zero) OS, session memory, or storage, they are the ultimate secure endpoint. Deter viruses and malware and feel protected if the device is lost or stolen. Moreover, IT can lock the device so that end users cannot copy or download data.
Using a zero client with an integrated CAC (common access card) card reader allows multiple employees to share the same device but with different levels of access to the server, cloud, or data center. Because the CAC reader is integrated, you can attain security level access with fewer cords, peripherals, and with a less cluttered desktop.
What are the types of zero clients and the alternatives?
Zero Client (TERA2 chip-based)
- Utilizes proprietary TERA2 chips for secure connections to a single designated host computer on a specific network
- Supports limited 4K displays (DP models only)
- Offers dual- and quad-display options
- Available with either copper or fiber network connections
- Uses the PCoIP protocol
- Can connect to the host computer via a one-time purchase Remote Workspace Card (host card) or HP’s Anyware software
Trusted Zero Client
- Latest generation of zero client
- Software-based instead of hardware-based
- Manufactured with an official “birth certificate” for authentication in a Zero Trust environment
- Uses PCoIP (or PCoIP Ultra) secure protocol via HP’s Anyware software
- Trust Center management console for endpoint management and verification of trusted status
- Ability to lock device out of network connection if authentication fails
Zero+ Client
- Features soldered-down internal components for heightened security
- Can be restricted to a single connection via a designated protocol
- Permitted to make additional connections, e.g., secure Stratodesk connection to a network and access to internal systems, browsers, etc.
- Offers a secure endpoint with flexibility to operate across various VDI environments
- Allows access to multiple networks/software programs as permitted by IT
Zero Client (TERA2 chip-based)
- Utilizes proprietary TERA2 chips for secure connections to a single designated host computer on a specific network
- Supports limited 4K displays (DP models only)
- Offers dual- and quad-display options
- Available with either copper or fiber network connections
- Uses the PCoIP protocol
- Can connect to the host computer via a one-time purchase Remote Workspace Card (host card) or HP’s Anyware software
Trusted Zero Client
- Latest generation of zero client
- Software-based instead of hardware-based
- Manufactured with an official “birth certificate” for authentication in a Zero Trust environment
- Uses PCoIP (or PCoIP Ultra) secure protocol via HP’s Anyware software
- Trust Center management console for endpoint management and verification of trusted status
- Ability to lock device out of network connection if authentication fails
Zero+ Client
- Features soldered-down internal components for heightened security
- Can be restricted to a single connection via a designated protocol
- Permitted to make additional connections, e.g., secure Stratodesk connection to a network and access to internal systems, browsers, etc.
- Offers a secure endpoint with flexibility to operate across various VDI environments
- Allows access to multiple networks/software programs as permitted by IT
What's the difference between a zero client and a thin client?
| Zero Client | Thin Client | |
|---|---|---|
| Can make secure connections to remote computers or virtual computers via direct network connection or VDI platform | ✔ | ✔ |
| Copper Connection | ✔ | ✔ |
| Fiber Connection | ✔ | ✔ |
| Supports 2-4 displays | ✔ | ✔ |
| Supports integrated or external common access card (CAC) readers | ✔ | ✔ |
| Small form factor devices | ✔ | ✔ |
| No session memory after a power cycle | ✔ | |
| During a session, the data and computing are done at the host computer | ✔ | |
| No usable digital footprint from a session | ✔ | |
| All connection settings are contained in a locked firmware | ✔ | |
| Operating System | ✔ | |
| PCoIP | ✔ | |
| Memory | ✔ | |
| Storage | ✔ |
Due to the nature of a thin client, there’s greater flexibility for IT to give permissions to users that could open the door for a user to be able to copy and store potentially (small amounts of) confidential information to the device. ClearCube thin clients can be remotely managed, and they can be reassigned/repurposed or moved to a new VDI architecture without re-flashing them (not always the case with our competitors’ thin clients). This allows thin clients to be a “future proofing” tool for IT in environments where IT architecture is likely to change through upgrades, divestitures, acquisitions, mergers, etc.
ClearCube Zero+ clients offer all the same flexibility of thin clients but with the added physical protection of soldered down internal components to prevent data access through tampering or disassembly.
Industry Transition & Options
Zero clients & PCoIP with VMWare
There is a lot of confusion about the future usability of zero clients and PCoIP, particularly in a VMWare environment. The confusion comes from an unclear understanding of which future VMWare Horizon versions will not have integrated PCoIP and a lack of understanding of the latest generation of zero clients, Trusted Zero Clients, and their planned compatibility with VMWare Horizon, both now and future versions.
First, let’s understand that traditional zero clients using PCoIP, connecting to a host computer with either a physical host card (“Remote Workstation Card”, RWC) or using HP Anyware software (that replaced what was formerly known as Cloud Access Software) will remain an ongoing, viable zero client solution. Because traditional zero clients are known to have such an extended, service-free lifespan, this zero client solution has a continuing future.
VMWare's official statement regarding PCoIP (date):
“We will include PCoIP as a protocol option in the Horizon Client and Horizon Agent through the end of 2025. At that point in three years, we will remove the PCoIP protocol option from all new Horizon releases. Note that all Horizon releases are supported for three years from ship date. This means that the client and agent that will ship in 2025 will be supported until the end of 2028…The PCoIP protocol is owned by HP Teradici (Teradici was acquired by HP in 2021), and together we have been working on some exciting initiatives, including with HP Anyware Zero Clients and high-end graphics support.”
For more information, here is a link to the VMWare blog containing their full statement: Announcing end of support for PCoIP in VMware Horizon – VMware End-User Computing Blog
This indicates that updates to version 8.x (and prior versions) through 2025 will continue support for PCoIP. After that, PCoIP will continue to work on those versions with security updates through 2028. The next major release of VMWare Horizon, Version 9.x, is not expected to include built-in PCoIP support. Therefore, upgrades to Version 9.x would end support for the built-in version of PCoIP from VMWare. That said, the new Trusted Zero Clients, when used in combination with the HP Anyware software, are expected to be compatible with new Horizon releases and updates. Future updates to the TZC firmware are planned to have support for VMWare Blast to continue with the built-in Horizon protocol option, mitigating the need for the additional HP Anyware software.
Next Steps?
The next step for many organizations is to discuss your options and settle on an evaluation unit to test in your setting and application.
