Exit Print View

Oracle Secure Global Desktop Administration Guide for Version 4.6

Document Information

Preface

1.  Networking and Security

2.  User Authentication

3.  Publishing Applications to Users

4.  Configuring Applications

Windows Applications

Configuring Windows Application Objects

Creating Windows Application Objects on the Command Line

Configuring Microsoft Windows Terminal Services for Use With SGD

Authentication Settings

Session Resumability and Session Directory

Windows Printer Mapping

Drive Redirection

Encryption Level

Multiple Terminal Services Sessions

Remote Desktop Users

Time Zone Redirection

Audio Redirection

Smart Card Device Redirection

COM Port Mapping

Color Depth

Transport Layer Security

Terminal Services Group Policies

Keep Alive Configuration for Windows Terminal Servers

Licensing Microsoft Windows Terminal Services

Managing CALs From the Command-Line

Microsoft Windows Remote Desktop

Seamless Windows

Notes and Tips on Using Seamless Windows

Key Handling for Windows Terminal Services

Supported Keyboard Shortcuts for Windows Terminal Services

The Windows Key and Window Management Keys

Configuring Windows Keyboard Maps

Returning Client Device Information for Windows Terminal Services Sessions

The SGD Remote Desktop Client

Using a Configuration File

Running Windows Applications on Client Devices

X Applications

Configuring X Application Objects

Creating X Application Objects on the Command Line

Supported X Extensions

X Authorization

X Fonts

Using Your Own X Fonts

Using a Font Directory

Using a Font Server

How to Configure SGD to Use Your Own X Fonts

Keyboard Maps

Character Applications

Configuring Character Application Objects

Creating Character Application Objects on the Command Line

Terminal Emulator Keyboard Maps

Default Mappings

Creating a Keyboard Map

Key Names

Client Device Keys

Application Server Keystrokes

Terminal Emulator Attribute Maps

How to Create Your Own Attribute Map

Editing Character Attributes

Terminal Emulator Color Maps

Examples of Using Color Maps

Dynamic Launch

Dynamic Application Servers

SGD Broker

User-Defined SGD Broker

VDI Broker

Dynamic Applications

How to Create a Dynamic Application

Client Overrides

Using My Desktop

Integrating SGD With Oracle VDI

How to Create a Dynamic Application Server for the VDI Broker

Using SSH

SSH Support

Configuring the SSH Client

How to Set Global SSH Client Options

How to Set Application SSH Client Options

Enabling X11 Forwarding for X Applications

How to Enable X11 Forwarding

Using SSH and the X Security Extension

How to Enable the X Security Extension

Using SSH and X Authorization

Using Advanced SSH Functions

Known Limitation With Client Keys

Application Authentication

Login Scripts

Configuring Application Authentication

The Application Server Password Cache

Managing the Application Server Password Cache

Security and the Password Cache

Windows Domains and the Password Cache

Input Methods and UNIX Platform Applications

Adding Support for System Prompts in Different Languages

Using RSA SecurID for Application Authentication

Tips on Configuring Applications

Starting an Application or Desktop Session Without Displaying a Webtop

Using SGD Web Services

Using Multihead Or Dual Head Monitors

Disabling Shared Resources

Configuring the Correct Desktop Size

Configuring Desktop Size for Client Window Management Applications

Configuring Desktop Size for Kiosk Mode Applications

Setting Up the Monitors

Improving the Performance of Windows Applications

Improving the Performance of Java Desktop System Desktop Sessions or Applications

Configuring the X Application Object for Java Desktop System

Disabling Default Java Desktop System Settings

Documents and Web Applications

Creating a Virtual Classroom

How to Create the Teacher's Application Object

How to Create the Classroom Application Object

Configuring Common Desktop Environment Applications

Configuring a CDE Desktop Session

Configuring a CDE Application

Using CDE and SSH

Configuring VMS Applications

Configuring the Login Script Used for the Application

Configuring the Transport Variable in the Login Script

Disabling X Security

3270 and 5250 Applications

Troubleshooting Applications

An Application Does Not Start

Checking the Configuration of the Application Object

Checking the Launch Details and Error Logs

Increasing the Log Output

Troubleshooting ErrApplicationServerTimeout Errors

Troubleshooting ErrApplicationServerLoginFailed Errors

An Application Exits Immediately After Starting

Applications Fail To Start When X Authorization Is Enabled

Applications Disappear After About Two Minutes

An Application Session Does Not End When the User Exits an Application

Checking the Session Termination Setting

Windows Applications Do Not Close Down

UNIX Desktop Sessions Do Not Close Down After Logging Out

Users Can Start Applications With Different User Names and Passwords

Using Windows Terminal Services, Users Are Prompted for User Names and Passwords Too Often

SGD Prompts the User

Terminal Server Prompts the User

Using Shadowing to Troubleshoot a User's Problem

A Kiosk Application Is Not Appearing Full-Screen

An Application's Animation Appears 'Jumpy'

Font Problems with X Applications

Display Problems With High Color X Applications

The X Application Fails With a Color Planes Error

The Colors Appear Strange

The X Application Uses Too Much Bandwidth

8-bit Applications Exit With a PseudoColor Visual Error

Clipped Windows With Client Window Management Applications

Emulating a Sun Keyboard

Display Update Issues When Shadowing Over a Low Bandwidth Connection

Troubleshooting Mouse Drag Delay Issues

Incorrect Time Zone Name Shown in Windows Applications

5.  Client Device Support

6.  SGD Client and Webtop

7.  SGD Servers, Arrays, and Load Balancing

A.  Global Settings and Caches

B.  Secure Global Desktop Server Settings

C.  User Profiles, Applications, and Application Servers

D.  Commands

E.  Login Scripts

F.  Third-Party Legal Notices

Glossary

Index

Using SSH

SGD can use SSH to provide secure connections between SGD servers and application servers. SSH provides the following benefits:

This section includes the following topics:

SSH Support

SGD works with SSH version 2 or later. Because of SSH version compatibility problems, use the same major version of SSH, either version 2 or version 3, on all SGD hosts and application servers.

SGD can automatically detect that SSH is installed on the SGD host if SSH is installed in one of the following directories:

If you want to run the SSH client from a different location, or you want to specify particular command-line arguments for the client, see Configuring the SSH Client for details.

To connect to an application server using SSH, the following must be true:

Configuring the SSH Client

When using SSH with SGD, you can configure the command-line arguments used by the SSH client. The arguments can be configured globally, for individual applications, or a combination of both.

You configure the global options for the SSH client by setting the TTASSHCLIENT environment variable, see How to Set Global SSH Client Options for details. Use the global SSH client configuration in the following situations:

You configure the application options for the SSH client by configuring the SSH Arguments attribute for the application object, see How to Set Application SSH Client Options for details.

You can combine the global and application SSH client configuration to set the path to the SSH client and set the command-line arguments.


Note - If you do this, any global command-line arguments are ignored.


The following table shows the effect of global and application configuration on the ssh command used.

Global Configuration
Application Configuration
SSH Command Used
[none]
[none]
ssh -l user@host
[none]
-X
ssh -X -l user@host
/usr/ssh -X
[none]
/usr/ssh -X -l user@host
/usr/ssh -X
-p port
/usr/ssh -p port -l user@host

How to Set Global SSH Client Options

Before You Begin

Ensure that no users are logged in to the SGD server and that there are no running application sessions, including suspended application sessions.

  1. Log on as superuser (root) on the SGD host.
  2. Stop the SGD server.
  3. Set the TTASSHCLIENT environment variable.

    Include the full path to the SSH client program and any required command-line arguments. For example:

    # TTASSHCLIENT="/usr/local/bin/ssh -q -X"; export TTASSHCLIENT

    Note - If you only want to set command-line arguments for the SSH client, you have to include the full path to the SSH client program, even if the SSH program is in a location where SGD can detect it.


  4. Restart the SGD server.

How to Set Application SSH Client Options

  1. In the Administration Console, go the Applications tab and select the application.
  2. Go to the Launch tab.
  3. Ensure that the ssh option is selected for the Connection Method.
  4. In the SSH Arguments field, type the SSH arguments you want to use for the application.
  5. Click Save.

Enabling X11 Forwarding for X Applications

To display X applications using SGD using an SSH connection, you must enable X11 forwarding. See How to Enable X11 Forwarding.

As a fallback, you can enable the Allow SSH Downgrade (--allowsshdowngrade) attribute on X application objects. If this attribute is enabled and X11 forwarding is not working or not configured, SGD tries to display the application using a regular unsecured X11 connection. Depending on your configuration, users might be prompted to accept the downgrade. The following table shows the effect of enabling the Allow SSH Downgrade attribute.

X11 Forwarding Configured
X11 Forwarding Working
Allow SSH Downgrade Attribute Enabled
What Happens When Users Start the Application
Yes
Yes
Yes
Application starts, SSH connection used
Yes
Yes
No
Application starts, SSH connection used
Yes
No
Yes
User prompted to allow downgrade to X11 connection
Yes
No
No
Application does not start
No
Not applicable
No
Application does not start
No
Not applicable
Yes
Application starts, X11 connection used

If an X11 connection is used, SGD sets the DISPLAY variable and X authorization cookie in the normal way. The SSH connection is only used for application authentication and for starting the application.

How to Enable X11 Forwarding

  1. Log in as superuser (root) on the SGD host.
  2. Configure the SSH daemon.

    Edit the sshd_config file and add the following line:

    X11Forwarding yes

  3. Configure the SSH client.

    Do either of the following:

    • Edit the ssh_config file and include the following lines:

      ForwardAgent yes

      ForwardX11 yes

    • Configure the SSH client to use the -X command-line argument.

      See Configuring the SSH Client for details.

  4. Restart the SSH daemon.

Using SSH and the X Security Extension

SGD supports the X Security extension. The X Security extension only works with versions of SSH that support the -Y option. For OpenSSH, this is version 3.8 or later. You enable the X Security extension by configuring the application objects individual applications as follows:

How to Enable the X Security Extension

  1. In the Administration Console, go to the Applications tab and select the application.
  2. Go to the Launch tab.
  3. Ensure that the ssh option is selected for the Connection Method.
  4. Select the X Security Extension check box.
  5. Click Save.

Using SSH and X Authorization

If SSH connections fail when X authorization is enabled, you might have to run the SSH daemon in IPv4-only mode because SGD might not support the X Security extension used on your server. You enable IP version 4 mode by editing your system SSH configuration file.

For example, on Red Hat Enterprise Linux, edit the /etc/sysconfig/sshd file and add the following line:

OPTIONS="-4"

You must restart the SSH daemon after making this change.

Using Advanced SSH Functions

Certain SSH functionality, such as client keys, requires that the SSH client process runs as a privileged user. However, for security reasons, the SGD server processes and the SSH client process run as a non-privileged user.

To use advanced SSH functions, you must make the SGD ttasshhelper application a setuid root process. You do this by running the following commands as superuser (root) on each SGD server in the array:

# chown root /opt/tarantella/bin/bin/ttasshhelper
# chmod 4510 /opt/tarantella/bin/bin/ttasshhelper

Caution

Caution - If you make these changes, you must protect your SGD servers from unauthorized access.


Known Limitation With Client Keys

If you are using the SSH client keys functionality, users might be prompted for a user name and password when they start an application. Users are prompted because SGD needs to know the user name to use for the SSH connection. Although users are also prompted for a password, the password is not actually used. Users are only prompted for a user name and password if they do not have an entry in the password cache for the application server, or if the password cache is disabled. If users are prompted, they only need to provide a user name. The password field can be left blank.