Exit Print View

Oracle Secure Global Desktop Administration Guide for Version 4.6

Document Information

Preface

1.  Networking and Security

2.  User Authentication

3.  Publishing Applications to Users

4.  Configuring Applications

Windows Applications

Configuring Windows Application Objects

Creating Windows Application Objects on the Command Line

Configuring Microsoft Windows Terminal Services for Use With SGD

Authentication Settings

Session Resumability and Session Directory

Windows Printer Mapping

Drive Redirection

Encryption Level

Multiple Terminal Services Sessions

Remote Desktop Users

Time Zone Redirection

Audio Redirection

Smart Card Device Redirection

COM Port Mapping

Color Depth

Transport Layer Security

Terminal Services Group Policies

Keep Alive Configuration for Windows Terminal Servers

Licensing Microsoft Windows Terminal Services

Managing CALs From the Command-Line

Microsoft Windows Remote Desktop

Seamless Windows

Notes and Tips on Using Seamless Windows

Key Handling for Windows Terminal Services

Supported Keyboard Shortcuts for Windows Terminal Services

The Windows Key and Window Management Keys

Configuring Windows Keyboard Maps

Returning Client Device Information for Windows Terminal Services Sessions

The SGD Remote Desktop Client

Using a Configuration File

Running Windows Applications on Client Devices

X Applications

Configuring X Application Objects

Creating X Application Objects on the Command Line

Supported X Extensions

X Authorization

X Fonts

Using Your Own X Fonts

Using a Font Directory

Using a Font Server

How to Configure SGD to Use Your Own X Fonts

Keyboard Maps

Character Applications

Configuring Character Application Objects

Creating Character Application Objects on the Command Line

Terminal Emulator Keyboard Maps

Default Mappings

Creating a Keyboard Map

Key Names

Client Device Keys

Application Server Keystrokes

Terminal Emulator Attribute Maps

How to Create Your Own Attribute Map

Editing Character Attributes

Terminal Emulator Color Maps

Examples of Using Color Maps

Dynamic Launch

Dynamic Application Servers

SGD Broker

User-Defined SGD Broker

VDI Broker

Dynamic Applications

How to Create a Dynamic Application

Client Overrides

Using My Desktop

Integrating SGD With Oracle VDI

How to Create a Dynamic Application Server for the VDI Broker

Using SSH

SSH Support

Configuring the SSH Client

How to Set Global SSH Client Options

How to Set Application SSH Client Options

Enabling X11 Forwarding for X Applications

How to Enable X11 Forwarding

Using SSH and the X Security Extension

How to Enable the X Security Extension

Using SSH and X Authorization

Using Advanced SSH Functions

Known Limitation With Client Keys

Application Authentication

Login Scripts

Configuring Application Authentication

The Application Server Password Cache

Managing the Application Server Password Cache

Security and the Password Cache

Windows Domains and the Password Cache

Input Methods and UNIX Platform Applications

Adding Support for System Prompts in Different Languages

Using RSA SecurID for Application Authentication

Tips on Configuring Applications

Starting an Application or Desktop Session Without Displaying a Webtop

Using SGD Web Services

Using Multihead Or Dual Head Monitors

Disabling Shared Resources

Configuring the Correct Desktop Size

Configuring Desktop Size for Client Window Management Applications

Configuring Desktop Size for Kiosk Mode Applications

Setting Up the Monitors

Improving the Performance of Windows Applications

Improving the Performance of Java Desktop System Desktop Sessions or Applications

Configuring the X Application Object for Java Desktop System

Disabling Default Java Desktop System Settings

Documents and Web Applications

Creating a Virtual Classroom

How to Create the Teacher's Application Object

How to Create the Classroom Application Object

Configuring Common Desktop Environment Applications

Configuring a CDE Desktop Session

Configuring a CDE Application

Using CDE and SSH

Configuring VMS Applications

Configuring the Login Script Used for the Application

Configuring the Transport Variable in the Login Script

Disabling X Security

3270 and 5250 Applications

Troubleshooting Applications

An Application Does Not Start

Checking the Configuration of the Application Object

Checking the Launch Details and Error Logs

Increasing the Log Output

Troubleshooting ErrApplicationServerTimeout Errors

Troubleshooting ErrApplicationServerLoginFailed Errors

An Application Exits Immediately After Starting

Applications Fail To Start When X Authorization Is Enabled

Applications Disappear After About Two Minutes

An Application Session Does Not End When the User Exits an Application

Checking the Session Termination Setting

Windows Applications Do Not Close Down

UNIX Desktop Sessions Do Not Close Down After Logging Out

Users Can Start Applications With Different User Names and Passwords

Using Windows Terminal Services, Users Are Prompted for User Names and Passwords Too Often

SGD Prompts the User

Terminal Server Prompts the User

Using Shadowing to Troubleshoot a User's Problem

A Kiosk Application Is Not Appearing Full-Screen

An Application's Animation Appears 'Jumpy'

Font Problems with X Applications

Display Problems With High Color X Applications

The X Application Fails With a Color Planes Error

The Colors Appear Strange

The X Application Uses Too Much Bandwidth

8-bit Applications Exit With a PseudoColor Visual Error

Clipped Windows With Client Window Management Applications

Emulating a Sun Keyboard

Display Update Issues When Shadowing Over a Low Bandwidth Connection

Troubleshooting Mouse Drag Delay Issues

Incorrect Time Zone Name Shown in Windows Applications

5.  Client Device Support

6.  SGD Client and Webtop

7.  SGD Servers, Arrays, and Load Balancing

A.  Global Settings and Caches

B.  Secure Global Desktop Server Settings

C.  User Profiles, Applications, and Application Servers

D.  Commands

E.  Login Scripts

F.  Third-Party Legal Notices

Glossary

Index

Windows Applications

This section describes how to configure Windows application objects.

This section includes the following topics:

Configuring Windows Application Objects

You use a Windows application object if you want to give a Microsoft Windows graphical application to users.

In the Administration Console, the configuration settings for Windows application objects are divided into the following tabs:

The following table lists the most commonly used settings for configuring Windows application objects, and how to use them.

Attribute
Description
Name
The name that users see.
Icon
The icon that users see.
Application Command
The full path to the application that runs when users click the link.

The application must be installed in the same location on all application servers.

Leave this field blank if you want to run a Windows desktop session.

Arguments for Command
Any command-line arguments to use when starting the application.
SGD Remote Desktop Client

By default, the SGD Remote Desktop Client is used to run the application on the Microsoft Windows application server. SGD uses the Microsoft RDP protocol to connect to the application server. See Configuring Microsoft Windows Terminal Services for Use With SGD.
Local Client Launch

Select the Local Client Launch to run the application on the user’s client device. See Running Windows Applications on Client Devices.
Domain Name
The Windows domain to use for the application server authentication process.

This can be left blank. The domain can also be configured on either the application server or the user profile. See also Windows Domains and the Password Cache.

Number of Sessions
The number of instances of an application a user can run. The default is three.
Application Resumability
For how long the application is resumable. The following options are available:
  • Never – The application can never be resumed

  • During the User Session – The application keeps running and is resumable until the user logs out of SGD

  • General – The application keeps running for a time, controlled by the Timeout setting, after the user logs out of SGD, and can be resumed when the user next logs in

Window Type
How the application is displayed to the user.

Use Kiosk for full-screen desktop sessions. Selecting the Scale to Fit Window check box for the Window Size enables SGD to scale the application window to fit the client device display.

For Independent Window, you must specify a Height and Width for the Window Size or select the Client’s Maximum Size check box.

Use Seamless Window mode to the application in the same way it displays on the Windows application server, regardless of the user’s desktop environment. See Seamless Windows.

Color Depth
The application’s color depth.

See Color Depth for more details.

Application Load Balancing
How SGD chooses the best application server to run the application.

See Application Load Balancing for more details.

Hosting Application Servers tab
Use the Editable Assignments table to select the application servers, or group of application servers, that can run the application.

The application must be installed in the same location on all application servers

Assigned User Profiles tab
Use the Editable Assignments table to select the users that can see the application. Selecting Directory or Directory (light) objects enables you to give the application to many users at once. You can also use a Lightweight Directory Access Protocol (LDAP) directory to assign applications. See LDAP Assignments.

In addition to this configuration, you can also configure the following:

Creating Windows Application Objects on the Command Line

On the command line, you create an Windows application object with the tarantella object new_windowsapp command. You can also create multiple Windows application objects at the same time with the tarantella object script command. See Populating the SGD Organizational Hierarchy Using a Batch Script.

Windows application objects can only be created in the o=applications organizational hierarchy.

Configuring Microsoft Windows Terminal Services for Use With SGD

Configuring a Windows application object enables you to use the features of Microsoft Windows Terminal Services.


Note - From Windows Server 2008 R2, Terminal Services is renamed Remote Desktop Services.


The Terminal Services features supported by SGD and the application server platforms on which they are supported are listed in the Oracle Secure Global Desktop 4.6 Platform Support and Release Notes available at http://docs.sun.com/app/docs/doc/821-1928.

There are many possible configuration settings for Microsoft Windows Terminal Services. For detailed information on configuring Terminal Services, see your system documentation. To use Terminal Services with SGD, the settings you might have to configure include the following:


Note - Changes to your Terminal Services configuration only take effect for new Windows Terminal Server sessions.


Authentication Settings

You must configure Windows Terminal Services so that it does not prompt for a password when a user logs in.

By default, Windows 2000 Server always prompts for a password when users log in, whether or not SGD supplies the password for the application server from its password cache. By default, Windows Server 2003 or later, does not prompt for passwords.

Session Resumability and Session Directory

With Windows Terminal Services, users’ sessions can continue to run following a connection loss.

If you are not using Session Directory, it is best to disable this feature on the Windows Terminal Server, and let SGD handle session resumability. This prevents unnecessary use of resources on the application server, and ensures that if users share accounts on the application server, they do not resume each other’s Windows sessions. To disable this feature, you must select End Session for the When Session Limit Is Reached Or Connection Is Broken option in Terminal Services Configuration.

If you are using Session Directory to handle session resumability, you must select Suspend Session for the When Session Limit Is Reached Or Connection Is Broken option in Terminal Services Configuration. To use Session Directory, you must also configure the Window Close Action attribute for Windows application objects to End Application Session.

Windows Printer Mapping

To support printing to client printers from a Windows Terminal Server session, Windows printer mapping must be enabled. Windows printer mapping is enabled by default.

Drive Redirection

To support mapping of client drives in a Windows Terminal Server session, drive redirection must be enabled. Drive redirection is enabled by default.

Encryption Level

You can only use the Low, Client-compatible, or High encryption levels with SGD. SGD does not support the Federal Information Processing Standards (FIPS) encryption level.

Multiple Terminal Services Sessions

By default, a Microsoft Windows Server only allows users to start one Terminal Services session. If a user starts another desktop session, or another instance of an application with the same arguments, the second Terminal Services session grabs the first session and disconnects it. This means that it is not possible to start two desktop sessions, or two instances of the same application, on the same Windows Server.

On Microsoft Windows Server 2003 or later application servers, you can enable support for multiple Terminal Services sessions.

Remote Desktop Users

For Microsoft Windows Server 2003 or later application servers, users can only use Terminal Services if they are members of the Remote Desktop Users group.

Time Zone Redirection

Client computers can redirect their time zone settings to the Terminal Server, so that users see the correct time for their time zone in their desktop or application sessions. Terminal Services uses the server base time on the Terminal Server and the client time zone information to calculate the time in the session. This feature is useful if you have client devices in different time zones. By default, this feature is disabled.

In the Administration Console, the Time Zone Map File attribute on the Global Settings -> Client Device tab specifies a file that contains mappings between UNIX platform client device and Windows application server time zone names.

Audio Redirection

To play audio from a Windows Terminal Server session, audio redirection must be enabled on the application server. By default, audio redirection is disabled.

Smart Card Device Redirection

To use a smart card reader from a Windows Terminal Server session, smart card device redirection must be enabled on the application server. By default, smart card device redirection is enabled.

COM Port Mapping

To access the serial ports on the client device from a Windows Terminal Server session, COM port mapping must be enabled on the application server. By default, COM port mapping is disabled.

Color Depth

SGD supports 8-bit, 16-bit, 24-bit, and 32-bit color depths in a Windows Terminal Server session.

32-bit color is available on Windows Vista, Windows Server 2008, Windows Server 2008R2, and Windows 7 platforms. For a 32-bit color depth, the client device must be capable of displaying 32-bit color.

15-bit color depths are not supported. If this color depth is specified on the Terminal Server, SGD automatically adjusts the color depth to 8-bit.

Transport Layer Security

From Microsoft Windows Server 2003 and later, you can use Transport Layer Security (TLS) for server authentication, and to encrypt Terminal Server communications. SGD does not support the use of TLS.

Terminal Services Group Policies

For Windows Server 2003 and later, Terminal Services settings can be configured using Group Policy, as follows:

To improve performance, you might want to configure some or all of the following policies:

Keep Alive Configuration for Windows Terminal Servers

If you find that the connection between the SGD server and the Windows Terminal Server is being dropped unexpectedly, you might need to configure the keep alive mechanism for the Windows Terminal Server.

How to do this is described in Microsoft Knowledge Base article 216783.

Licensing Microsoft Windows Terminal Services

SGD does not include licenses for Microsoft Windows Terminal Services. If you access terminal server functionality provided by Microsoft operating system products, you need to purchase additional licenses to use such products. Consult the license agreements for the Microsoft operating system products you are using to determine which licenses you must acquire.

Terminal Services licensing is done using a CAL. A CAL is a license that allows a client to access the Windows Terminal Server. Depending on the licensing mode, a client can be either a user, or a device, or a combination of both.

Client license management for Microsoft Windows Terminal Services varies according to the client platform, as follows:

Managing CALs From the Command-Line

You can use the tarantella tscal command to manage Microsoft Windows Terminal Services CALs for non-Windows client devices, as follows:

Microsoft Windows Remote Desktop

Some editions of Microsoft Windows include a Remote Desktop feature that enables you to access a computer using Microsoft RDP. You can use SGD and Remote Desktop, for example, to give users access to their office PC when they are out of the office.

The supported platforms and features for Remote Desktop are listed in the Oracle Secure Global Desktop 4.6 Platform Support and Release Notes available at http://docs.sun.com/app/docs/doc/821-1928.

Before introducing SGD, ensure that the Remote Desktop connection to the Microsoft Windows computer is working.

You configure SGD for use with Remote Desktop as follows:

See Using My Desktop for details of how to run a full-screen desktop session, without displaying the SGD webtop.

Seamless Windows

With seamless windows, the Microsoft Windows application server manages the display of the application. This means an application’s windows behave in the same way as an application displayed on the application server, regardless of the user’s desktop environment. The window can be resized, stacked, maximized, and minimized. The Windows Start Menu and Taskbar are not displayed when using seamless windows.

Seamless windows are not suitable for displaying Windows desktop sessions. Use a kiosk or independent window instead.

The following are the conditions for using seamless windows:

If any of the above conditions are not met, SGD displays the Windows application in an independent window instead.

Notes and Tips on Using Seamless Windows

The following are some notes and tips on displaying applications in seamless windows:

Key Handling for Windows Terminal Services

You can configure how SGD handles keyboard presses on the client device in a Windows Terminal Services session, as follows:

Supported Keyboard Shortcuts for Windows Terminal Services

SGD supports the following keyboard shortcuts for Windows Terminal Services sessions.

Keyboard Shortcut
Description
Ctrl-Alt-End
Displays the Windows Security dialog.
Alt-Page Up
Switches between windows, from left to right.
Alt-Page Down
Switches between windows, from right to left.
Alt-Insert
Cycles through windows, in the order they were opened.
Alt-End
Displays the Windows Start menu.
Alt-Delete
Displays the pop-up menu for the current window.
Ctrl-Alt-Minus
Use the Minus (-) key on the numeric keypad.

Places a snapshot of the active client window on the Windows Terminal server clipboard.

Provides the same functionality as pressing Alt-PrintScrn on a local computer.

Ctrl-Alt-Plus
Use the Plus (+) key on the numeric keypad.

Places a snapshot of the entire client window area on the Windows Terminal server clipboard.

Provides the same functionality as pressing PrintScrn on a local computer.

Alt-Ctrl-Shift-Space
Minimizes the active window. Only applies for kiosk mode.
The Windows Key and Window Management Keys

In SGD Windows Terminal Services sessions, the Windows key and keyboard shortcuts for managing windows can be sent either to the remote session or acted on locally. By default, they are acted on locally.

For Windows applications objects that are configured to display in kiosk mode, the Window Management Keys (--remotewindowkeys) attribute controls keyboard shortcut behavior. To send the Windows key and window management keys to the remote session, do either of the following:

If the Windows key and window management keys are sent to the remote session, use the key sequence Alt-Ctrl-Shift-Space to exit kiosk mode. This minimizes the kiosk session on the local desktop. Alternatively, to exit kiosk mode you can use the Kiosk Mode Escape (--allowkioskescape) attribute to enable a pull-down header for the application window. The pull-down header includes icons for minimizing and closing the kiosk session.

For Windows applications objects that are not configured to display in kiosk mode, you can force the Windows key to be sent to the remote session by using the -windowskey option for the SGD Remote Desktop Client. To send the Windows key to the remote session, do either of the following:

Configuring Windows Keyboard Maps

The process of configuring Windows keyboard maps in SGD is the same as that used for configuring keyboard maps for X applications. See also Keyboard Maps.


Note - For Windows applications, the keyboard layout must be the same on the client device and the application server.


Returning Client Device Information for Windows Terminal Services Sessions

By default, when you run a Windows application through SGD using the Microsoft RDP protocol, the host name of the client device is returned in the %CLIENTNAME% environment variable for the Windows Terminal Services session. When you use a Sun Ray Desktop Unit (DTU) client device, the DTU ID is returned in the %CLIENTNAME% environment variable. The DTU ID is the hardware address of the Sun Ray.

The DTU ID can be used to specify the name of the client device in the wcpwts.exp login script. SGD uses this login script for all Windows applications that connect using the Microsoft RDP protocol.

The SGD Remote Desktop Client

The SGD Remote Desktop Client, also known as ttatsc, is a client program that handles the connection between the SGD server and the Windows Terminal Server.

The syntax for running ttatsc from the command line is as follows:

ttatsc [-options..] server.example.com

where server.example.com is the name of a Windows Terminal Server.

You can use the ttatsc to configure Windows Terminal Services sessions in the following ways:

The following options are supported for the ttatsc command.

Option
Description
-application application
The application to run in the Terminal Services session.
-audioquality low|medium|high
Sets the quality of the audio redirection.
-bulkcompression on|off
Enable or disable data compression for the connection.
-console
Instead of starting a normal RDP session, connect to a console session.

This option is available as the Console Mode (--console) attribute for a Windows application.

-crypt on|off
Configures encryption for the connection. The default setting, on, gives the best user experience.
-default depth
Whether to let the Terminal Server set the default color depth of the X session.
-desktop
Whether to display a full screen desktop session.
-dir working_dir
Working directory for the Terminal Services session. This can be overridden by the application.

This option is available as the Working Directory (--workingdir) attribute for a Windows application.

-display X display
The X display to connect to.
-domain domain
Domain on the Terminal Server to authenticate against.
-keyboard language_tag
Input locale. Specify an RFC1766 language tag.
-name client name
Name of the client device.
-netbiosname name
NetBIOS name for the client device. This is used for the redirected printer names on the Terminal Server.
-noaudio
Disables audio redirection.
-nofork
Do not run ttatsc as a background process.
-noprintprefs
Do not cache printer preferences.

This option is available as the Printer Preference Caching (--noprintprefs) attribute for a Windows application.

-opts file
Read command options from a file. See Using a Configuration File for details.
-password password
Password for the Terminal Services user.
-perf disable wallpaper|fullwindowdrag| menuanimations|theming|cursorshadow|cursorsettings
Disable display options, to improve performance. The available settings are:
  • wallpaper – Disable the desktop wallpaper. This option is available as the Desktop Wallpaper (--disablewallpaper) attribute for a Windows application.

  • fullwindowdrag – Disable the option to show window contents when moving a window. This option is available as the Full Window Drag (--disablefullwindowdrag) attribute for a Windows application.

  • menuanimations – Disable transition effects for menus and tooltips. This option is available as the Menu Animations (--disablemenuanimations) attribute for a Windows application.

  • theming – Disable desktop themes. This option is available as the Theming (--disabletheming) attribute for a Windows application.

  • cursorshadow – Disable the mouse pointer shadow. This option is available as the Cursor Shadow (--disablecursorshadow) attribute for a Windows application.

  • cursorsettings – Disable mouse pointer schemes and customization. This option is available as the Cursor Settings (--disablecursorsettings) attribute for a Windows application.

To disable multiple display options, use multiple -perf disable options.

-perf enable fontsmoothing
Turns on font smoothing for text on the desktop.

This option is available as the Font Smoothing (--enablefontsmoothing) attribute for a Windows application.

-port port
RDP port to connect to on the Terminal Server. The default setting is 3389.
-printcommand command
This option is deprecated.
-remoteaudio
Leaves audio at the Terminal Server.

This option is available as the Remote Audio (--remoteaudio) attribute for a Windows application.

-sharedcolor
Do not use a private color map.
-size width height
Display width and display height for the Terminal Services session, in pixels.
-spoil
This option is deprecated.
-stdin
Read command options from standard input. Used by the login scripts to pass command options to ttatsc.
-storage data_dir
This option is deprecated.
-swmopts on|off
Enable local window hierarchy for applications that use seamless windows. Needed for some Borland applications.
-timeout connect secs
Timeout for connecting to the Terminal Server, in seconds.
-timeout establish secs
Timeout for establishing an RDP connection, in seconds.
-uncompressed
This option is deprecated.
-user username
User name for the Terminal Services user.
-windowskey on|off
Whether to enable or disable Windows key for the Terminal Services session. The default setting is on.
Using a Configuration File

A configuration file is a text file containing the ttatsc command-line options to be used for the connection. Each option must be on a separate line without the leading dash (-). The argument and its value are separated by whitespace. Use either single or double quotes to enclose any literal whitespace.

The escape character is \.The following escape sequences are supported:

The following is an example configuration file:

u "Indigo Jones"
p "Wh1teh4ll"
a "C:\\program files\\notepad.exe"
naples.indigo-insurance.com

Running Windows Applications on Client Devices

You can run a Windows application on a client device, instead of displaying it through SGD. If the application is not available on the client device, and the SGD Remote Desktop Client check box is selected, SGD tries to run it on the application server.

Applications that run on client devices are not resumable, even if the Application Resumability is configured.

The application must be installed in the same location on all client devices.