C H A P T E R  2

New Features and Changes

This chapter describes the new features and changes in versions 4.40, 4.31, and 4.30 of SGD.

Topics in this chapter include the following:


New Features in Version 4.40

This section describes the features that are new in the Sun Secure Global Desktop Software 4.40 release.

SGD Administration Console

The SGD administration tools, Object Manager, Array Manager, Configuration Wizard, and Session Manager have been replaced by the SGD Administration Console. The SGD Administration Console is a web application. The Administration Console can be used by SGD Administrators to configure SGD.

The Administration Console is localized into the languages supported by SGD: English, French, Japanese, Korean, Simplified Chinese, and Traditional Chinese.

To use the Administration Console, your browser must have JavaScript enabled.

Wherever possible, run the Administration Console on the primary server in the SGD array. Some operations, for example, creating new objects or editing object attributes, are best done on the primary server. If you perform these operations on a secondary server and the primary server is not running, your changes are not implemented.



Note - The SGD distribution includes a web archive (WAR) file for the Administration Console, sgdadmin.war. Using this file to deploy the Administration Console on another web application server is not supported.



You can start the Administration Console in one of the following ways:

See the Sun Secure Global Desktop 4.4 Administration Guide and the Sun Secure Global Desktop 4.4 Reference Manual for more details about the Administration Console.

Terminology Changes

The Administration Console uses different terminology compared to previous SGD releases.

The following table lists some common terms used in version 4.31 and the corresponding term used in the Administration Console.


SGD Version 4.31 Administration Console
array member SGD server
browser-based webtop webtop
emulator session application session
Enterprise Naming Scheme (ENS) local repository
ENS equivalent name user profile
Fully Qualified Name user identity
host application server
intelligent array routing load balancing group
login authority system authentication
login profile user profile
person object user profile object
Tarantella Federated Naming (TFN) Not used
webtop session user session

Attribute Name Changes

Some attributes have been renamed for the Administration Console. The Sun Secure Global Desktop 4.4 Reference Manual includes the attribute names used in the Administration Console, along with the previous attribute name used in Object Manager and Array Manager.

The Desktop Direct URL

The Desktop Direct Uniform Resource Locator (URL) enables users to log in and display a full-screen desktop without displaying a webtop.

To be able to use the Desktop Direct URL, the user must be assigned an application object called My Desktop (cn=My Desktop). This object is created automatically when SGD is installed. By default, the object is configured to run the default desktop application available on the SGD server, for example, the Sun Java Desktop System. You can reconfigure this object to run any application you want, but it works best with full-screen desktop applications. If users require different desktop applications, you can create additional My Desktop objects as required. However, users must be assigned only one My Desktop application.



Note - Users can be assigned any number of applications, but the Desktop Direct URL only gives users access to the My Desktop application.



The Desktop Direct URL is http://server.example.com/sgd/mydesktop, where server.example.com is the name of an SGD server. This URL displays the SGD Login page. Once the user has logged in, the desktop session displays and the web browser can be closed.



Note - There are no controls for suspending or resuming the desktop application. Users must log out of the desktop application as normal.



Support for Roaming Profiles

Users with Microsoft Windows client devices can have roaming user profiles. Roaming user profiles provide the user with the same working environment, no matter which Microsoft Windows computer they use. If Microsoft Windows users have roaming user profiles, the SGD client profile is automatically adjusted to allow for this, as follows:

The following settings from the SGD client profile are stored in the location of the user’s roaming profile:


Client Profile Setting Roaming Profile Entry
Login URL <url>
Add Applications to Start Menu <mode>
Automatic Client Login <autologin>

<AT>

Connect on System Login <autostart>
Connection Failure <reconnect mode>

<reconnect_attempts>

<reconnect_interval>


Automatic Timeout of Idle User Sessions

SGD Administrators can now configure an automatic timeout for idle user sessions.

The timeout enables user sessions to be suspended if there has been no application session or webtop activity for a specified time period. The timeout applies to all SGD servers in the array.

This timeout is only configurable from the command line. You cannot edit the timeout value using the Administration Console.

You configure the timeout with the following command:


$ tarantella config edit \
‐‐tarantella-config-array-webtopsessionidletimeout secs

Replace secs with the timeout value, measured in seconds.

A setting of 0 turns off the user session idle timeout feature. This is the default setting.

In the following example, user sessions are suspended after 1800 seconds (30 minutes) of inactivity.


$ tarantella config edit \
‐‐tarantella-config-array-webtopsessionidletimeout 1800

Netmask Filters for Specifying Network Addresses

You can now specify a netmask filter when setting the following attributes:

The netmask filter takes the format v.w.x.y/z. The previous “wildcard” type filters are still supported.

The following example uses a netmask filter to specify external DNS names.


$ tarantella config edit ‐‐server-dns-external \
 "192.168.55.0/24:boston.indigo-insurance.com"

Window Management Keys

A new Window Management Keys (--remotewindowkeys) attribute is available for the following object types:

Using this attribute, keyboard shortcuts that deal with window management can either be sent to the remote session or acted on locally. This setting is only effective for applications having a Window Type setting of Kiosk mode.

To exit Kiosk mode when this attribute is enabled, use the key sequence Alt+Ctrl+Shift+Space. This minimizes the kiosk session on the local desktop.

By default, the Windows key is now enabled in SGD Windows Terminal Services sessions. The default setting for the SGD Terminal Services Client (ttatsc) -windowskey option is on. You can change this option using the Arguments for Protocol (--protoargs) attribute on the Windows application object.

Support for Solaris 10 OS Trusted Extensions

SGD runs on Solaris 10 OS Trusted Extensions with the following known limitations:

Global Management of Passwords and Tokens

The Administration Console can be used to globally manage passwords and tokens for all users of SGD.

You can now manage passwords and tokens by user identity or by user profile. Previously, the Object Manager administration tool only supported management of passwords and tokens by user profile.

Subject Alternative Names for Server Certificates

If an SGD server has multiple DNS names, for example, it is known by different names inside and outside a firewall, you can specify the additional DNS names as subject alternative names when generating a Certificate Signing Request (CSR). This enables you to associate more than one DNS name with a server certificate.

The tarantella security certrequest command now prompts you to enter subject alternative names when generating a CSR.

The subject alternative names for a certificate can be displayed using the tarantella security certinfo command.

Time Zone Map File Attribute

A new Time Zone Map File attribute (--xpe-tzmapfile) is available.

The attribute enables you to specify a file that contains mappings between UNIX client device and Microsoft Windows application server time zone names. The attribute applies to all SGD servers in the array.

Session Directory for Windows Terminal Services

SGD version 4.40.917 and later supports Session Directory for Windows Terminal Services sessions running on Microsoft Windows Server 2003.

Session Directory can be used instead of SGD to handle session resumability for Windows applications. Session Directory is a database that keeps track of which users are running which sessions on which Windows application server.

Using Session Directory enables SGD users to reconnect automatically to their Windows session.

See Session Directory for Windows Terminal Services for more details about using Session Directory with SGD.


New Features in Version 4.31

This section describes the features that are new in the Sun Secure Global Desktop Software 4.31 release.

Audio Support in X Applications

SGD Administrators can now enable sound in X applications accessed using SGD.

To hear sound in X applications, the following conditions must be met:

The UNIX audio module contains an OSS audio driver emulator. The audio driver emulator is installed in the kernel when you install the UNIX audio module of the SGD Enhancement Module.



Note - As the UNIX audio module includes an audio driver emulator, the application server itself does not actually need to have a sound card.



Some X applications are hard-coded to use the /dev/audio or /dev/dsp devices for audio output. A new attribute for X application objects, Audio Redirection Library (--unixaudiopreload), enables an SGD audio redirection library to force the X application to use the SGD audio device.

Support for the Remote Desktop on Microsoft Windows Vista

Microsoft Windows Vista includes the Remote Desktop feature that enables you to access a computer using the Remote Desktop Protocol. You can now use SGD and Remote Desktop, for example, to give users to access their office PC when they are out of the office. Only full Windows desktop sessions are supported.

You can also install the SGD Enhancement Module on Microsoft Windows Vista client devices to provide support for client drive mapping. Advanced load balancing and seamless windows are not supported.

SSH Client Settings

A new SSH Arguments (--ssharguments) attribute is available for the following object types:

With this attribute, you can specify the command-line arguments for the SSH client when the connection method for an application is SSH.


New Features in Version 4.30

This section describes the features that are new in the Sun Secure Global Desktop Software 4.30 release.

Integration With the Desktop Start or Launch menu

The SGD Client can now operate in either of the following modes:



Note - Use Integrated mode if your organization prefers not to use Java technology on the client device.



To use Integrated mode, you must log in to SGD using the Login link on the desktop Start or Launch menu. Integrated mode is not available if you start a web browser and log in.

Working in Integrated mode simplifies session management. Unlike the webtop, it has no controls for suspending and resuming applications. Instead, when you log out, the Client automatically suspends or ends all running application sessions. When you log in again, the Client automatically resumes all suspended sessions.

Printing is also simplified. Printing is always “on” and print jobs go straight to the selected printer. Unlike the webtop, print jobs cannot be managed individually.

If you need to display a webtop, for example to resume a suspended application or manage printing, you click the Webtop link on the Start or Launch menu. The webtop displays in your default web browser.

If you configure the webtop content to display in groups, those groups are also used in the Start or Launch menu. If the group is configured to hide webtop content, the content does not display in the Start or Launch menu.

To log out of SGD, you click the Logout link on the Start or Launch menu.

For details of the desktop systems that can be used with Integrated mode, see Client Requirements.

Single Sign-On

You can now configure the SGD Client to start automatically when a user logs in to their client device. The SGD Client can also cache an authentication token that enables a user to start a user session automatically without having to log in manually. When the SGD Client is configured in this way, users experience the benefits of a single sign-on.

Automatic login is achieved using authentication token authentication. If the SGD Client presents a valid authentication token, the user is authenticated automatically to SGD. To obtain an authentication token, users must perform an initial log in using a web browser and then manually generate the authentication token by editing their client profile. A separate token is needed for each SGD server the user connects to.

Managing Client Configuration With Profiles

The desktop Start or Launch menu and single sign-on features mean that the SGD Client requires some configuration to connect to SGD. Not only that, different configurations might be needed in different situations, for example because the user is in the office or working at home. To be able to manage multiple Client configurations, version 4.3 introduces client profiles as the method for storing a group of SGD Client settings. Each client profile enables you to configure the following:

SGD Administrators have full control over client profiles. On an Administrator's webtop there is a new administration tool, Profile Editor. With the Profile Editor, Administrators can create and edit client profiles for organization, organizational unit (OU) objects, and for profile objects in the Tarantella System Objects organization. By defining client profiles for these objects, Administrators can deploy common default SGD Client configurations to users.

Administrators can control whether users can create and edit their own client profiles. User profile editing can be enabled globally, for an organization, for an OU, or for individual users. By default, user profile editing is enabled. Users create and edit profiles from the Edit button on their webtop.

SGD has a system-wide default profile that is configured to give users the standard webtop behavior available in previous releases. Administrators can edit this profile.

When the SGD Client connects to SGD, the profile configured for the user is copied from SGD to the client device. If a user edits their profile, the changes are stored only on the client device.

Mobile Proxy Server Configuration

When connecting to SGD from different locations, the SGD Client often needs different client proxy server settings. Ensuring that users have the correct proxy settings can also be difficult to administer. Version 4.3 introduces mobile proxy server configuration. With mobile proxy server configuration, the SGD Client uses the settings in the client profile to determine the proxy server settings. The proxy server settings can be specified as follows:

If the SGD Client is running in Integrated mode and configured to use the web browser settings, the SGD Client obtains the proxy settings by loading the URL specified in the profile in the user’s default web browser. As the SGD Client caches the settings it obtains, the SGD Client can be configured to use the settings in the cache so that the user’s default web browser only has to be started once.



Note - To determine the proxy settings from a web browser, the web browser must have Java technology enabled.



Enhanced Command Line for the SGD Client

The command line for the SGD Client on all platforms has been enhanced to support client profiles. You can use arguments to specify the following:

With the enhancements to the command line, you can create your own scripts for starting the SGD Client and for running single applications.

Manually Installable SGD Client

To support running the SGD Client in Integrated mode, or in environments that have web browsers without Java technology enabled, you can download and install the SGD Client manually. You download the SGD Client from an SGD server at http://server.example.com, where server.example.com is the name of an SGD server. Click Install the Sun SGD Client to install the SGD Client.

New X Server

This release includes a new X server, based on X11R6.8.2. The new X server delivers significant speed and bandwidth improvements when compared to version 4.2.

The updated server supports the following X extensions:

The new X server also includes support for some additional X fonts. The Speedo font is no longer available.

New X Security Extension Attribute

X application objects have a new X Security Extension attribute (--securityextension) that enables the X Security Extension for an application. If you need to run an X application from an application server that might not be secure, enable the X Security Extension and run the application in untrusted mode. This restricts the operations that the X application can perform in the X server and protects the display. X security only works with versions of SSH that support the -Y option. For OpenSSH, this is version 3.8 or later.

PDF Printing for UNIX Platform, Linux, and Mac OS X Clients

The SGD Client on UNIX platform, Linux, and Mac OS X client devices now supports PDF printing. On these clients, printing to an SGD PDF printer causes the document to be displayed in a PDF viewer where the file can be saved or printed. By default SGD supports the following PDF viewers.


Client Platform Default PDF Viewer
Solaris OS on SPARC technology platforms Adobe Reader (acroread)
Solaris OS on x86 platforms GNOME PDF Viewer (gpdf)
Linux GNOME PDF Viewer (gpdf)
Mac OS X Preview.app

To be able to use a default viewer, the application must be on the user’s PATH.

If an alternative PDF viewer is preferred, the full path to the alternative viewer can be specified in the client profile used by the SGD Client.



Note - When selecting a PDF printer on UNIX platform, Linux, and Mac OS X client devices, there is no difference between the “Universal PDF Printer” and “Universal PDF Viewer” printers as the document is always displayed in a PDF viewer.



PDF printing on Microsoft Windows client devices is unchanged.

Client Drive Mapping for UNIX Platform and Linux Applications

Client drive mapping (CDM) is now available for UNIX platform and Linux applications.

When you enable client drive mapping in the Administration Console, this enables client drive mapping for UNIX platform, Linux, and Windows applications.

The attributes for managing access rights to client drives available for organization, organizational unit and user profile objects apply only to Windows client devices regardless of whether they are connected to Windows, UNIX platform, or Linux applications.

The drives that are mapped for UNIX platform, Linux, and Mac OS X client devices are controlled by entries in the user’s configuration file, $HOME/.tarantella/native-cdm-config.

For client drive mapping to be available for UNIX platform and Linux applications, the following conditions must be met:

When client drive mapping is enabled, the user’s client drives or file systems are available by default in the My SGD drives directory in the user’s home directory. The My SGD drives directory is a symbolic link to the NFS share that is used for client drive mapping.

Support for Serial Ports in Windows Applications

Users running Windows applications on a Windows Terminal Server can now access the serial ports on their client device.

To be able to access a serial port, the following conditions must be met:

Users must have read-write access to the serial ports that they want to access.

Serial port mapping is available to the SGD Client running on Windows, Solaris platform, and Linux client devices.

Support for the Remote Desktop on Microsoft Windows XP Professional

Microsoft Windows XP Professional includes the Remote Desktop feature that enables you to access a computer using the Remote Desktop Protocol. You can now use SGD and Remote Desktop, for example, to give users to access their office PC when they are out of the office. Only full Windows desktop sessions are supported.

You can also install the SGD Enhancement Module on Microsoft Windows XP Professional client devices to provide support for client drive mapping. Advanced load balancing and seamless windows are not supported.

Support for Connections to the Console Session With Windows Server 2003 Terminal Services

The SGD Terminal Services Client (ttatsc) now supports an additional -console option that enables you to connect to the console session with Windows Server 2003 Terminal Services.

You can specify this option with the Arguments for Protocol (--protoargs) attribute of the Windows application object.

Initial Connection Security

The initial connection between an SGD Client and an SGD server is now secured with SSL. However, after the user logs in, the connection is downgraded to a standard connection. To be able to use SSL permanently for connections to SGD, you must enable SGD security services.

TCP Port 5307 is used for SSL-based connections between SGD Clients and SGD. You might have to open this port in your firewall to allow SGD Clients to connect.

SGD has an array routes feature that enables you to configure server-side SOCKS proxy servers. You configure array routes with the following command:


$ tarantella config edit \
‐‐tarantella-config-array-netservice-proxy-routes route...

If a route includes the :ssl option, you must configure the SGD SSL Daemon to accept unencrypted connections using the SSL Accelerator Support attribute on the Secure Global Desktop Server Settings ⇒ Security tab of the Administration Console, or with the following command:


$ tarantella config edit --security-acceptplaintext 1

Protecting Clients Against Unauthorized Servers

As the SGD Client can now start and log in automatically, it is vital that users only connect to an SGD server that is trusted. In this release, users must explicitly authorize the connection to SGD.

When a user connects to SGD for the first time, they see an Untrusted Initial Connection warning message that asks them whether they really want to connect to the SGD server. The message displays the host name and fingerprint of the security certificate for the server they are connecting to. Users should check these details before clicking Yes. Once a user agrees to the connection, they are not prompted again unless there is a problem.

To ensure that users only connect to SGD servers that are trusted, SGD Administrators must do the following:

In a fresh installation, each SGD server has its own self-signed security certificate. Administrators must obtain and install a valid X.509 certificate for each SGD server.

Controlled Copy And Paste

SGD Administrators now have control over copy and paste operations in Windows and X application sessions. Administrators can configure copy and paste as follows:

If a user attempts a copy and paste operation that is not permitted, for example because of differing security levels, they paste the following message instead of the copied data:

Sun SGD Software: Copied data not available to this application

Support for SecurID for Application Server Authentication

As well as using RSA SecurID to authenticate users to SGD, you can use SecurID for application server authentication when launching X and character applications.

To use SecurID authentication, first ensure that users can log in to the application server using SecurID before introducing SGD. When you are ready to use SecurID authentication, configure the application to use the securid.exp login script.

Localized User Interface

Version 4.3 contains localized user interfaces for the following languages:

By visiting a different URL, or selecting a language on the SGD Web Server Welcome Page (http://server.example.com, where server.example.com is the name of an SGD server), users can run a webtop in their preferred language. The SGD Client can also be started in a preferred language.

The Administration Console tool is localized into the same languages as the user interface.

Translated Documentation

The following table lists the translations of SGD Documentation that are available.


Language Release Notes Installation Guide Administration Guide Reference Manual User Guide
French Yes Yes No No Yes
Japanese Yes Yes Yes Yes Yes
Korean Yes Yes No No Yes
Simplified Chinese Yes Yes No No Yes
Traditional Chinese Yes Yes No No Yes

Language Support in Expect Scripts

The Expect scripts used to start applications on application servers are enhanced to support system prompts in different languages. By default, the languages supported by SGD are supported.

To enable the Expect scripts to work with system prompts in different languages, a new Prompt Locale (--hostlocale) attribute on application server objects enables you to specify the locale of the application server.


Changes in Version 4.40

This section describes the changes since the Sun Secure Global Desktop Software 4.31 release.

Changes to Supported Installation Platforms

For this release, the following changes to the supported installation platforms for SGD are applicable:

See Chapter 1 for more information about supported platforms for this release.

Retirement of Classic Clients

SGD version 4.31 was the last release to contain the Java technology clients, the SGD Native Clients and the classic webtop. The 4.40 release does not contain these clients.

As a result of this change, for this release of SGD, you cannot configure applications to display in a web browser window. The webtop and newbrowser options for the Window Type attribute (--displayusing) have been removed.

Login and Authentication Sequence

As a security measure to prevent denial-of-service attacks, the sequence of events when you log in to SGD has changed, as follows:

Start up of the SGD Client is indicated by an icon in the desktop task bar. See the Sun Secure Global Desktop 4.4 Installation Guide for more details about logging in to SGD.

You can no longer deny a connection to SGD based on the client’s IP address.

Server Certificates and Multiple External DNS Names

In previous releases, the --tarantella-config-ssldaemon-certificates attribute was used to associate an X.509 certificate with an external DNS name for an SGD server.

This attribute is no longer supported. In this release, you can specify external DNS names as subject alternative names when you generate a CSR.

See Subject Alternative Names for Server Certificates for more details.

Web Services Changes

The following web services changes have been implemented for this release:

Authentication Model Changes

In the 4.31 release, the startSession and the authenticateSession methods were used to authenticate a user session.

For the 4.40 release, creating and authenticating a user session have been combined into a single method, authenticate.

The startSession and authenticateSession methods are not available for the 4.40 release.

Renaming of Methods

Some overloaded methods were present in the 4.31 release. These methods were distinguished by the number and type of their parameters. All such overloaded methods have been renamed for the 4.40 release. Additionally, the mandatory parameters for the setSessionIdentity method have changed for the 4.40 release.

The following table lists the method name changes for this release.


Interface Name Method Name in Version 4.31 Method Name in Version 4.40
ITarantellaDatastore modify(String, String, String[]) modifyReplace (String, String, String[])
ITarantellaEvent adminSendClientSideMessage (String, String, String, String, String) adminBroadcastClientSideMessage (String, String, String, String, String)
ITarantellaExternalAuth setSessionIdentity (String, String) setSessionIdentity (String, String, String)
ITarantellaPrint printJobs(String) printAllJobs(String)
ITarantellaWebtopSession authenticateSession(String, String, String) authenticate(String, String, String, String)
ITarantellaWebtopSession authenticateSession(String, String, String, Item[], Item[]) authenticateExt(String, String, String, String, Item[], Item[])
ITarantellaWebtopSession setTCCConfiguration (String, String, String, String, String, Item[]) setTCCConfigurationOverrides (String, String, String, String, String, Item[])
ITarantellaWebtopSession startSession(*) No equivalent

New Web Service Operations

The following table lists the new web service operations.


Interface Name Method Name Description
ITarantellaDatastore deleteObjects

searchEnd

searchNext

searchStart

Delete several objects from the SGD datastore.

Release server resources for a given search.

Retrieve the next subset of search results.

Start a datastore search, returning a subset of results.

ITarantellaEmulatorSession adminCount

adminSearchEnd

adminSearchNext

adminSearchStart

endSessions

Count the number of matching application sessions a search would return.

Release server resources for a given search.

Retrieve the next subset of search results.

Start a search, returning a subset of results.

End multiple application sessions.

ITarantellaPrint adminCount

adminSearchEnd

adminSearchNext

adminSearchStart

Count the number of matching print jobs a search would return.

Release server resources for a given search.

Retrieve the next subset of search results.

Start a search, returning a subset of results.

ITarantellaWebtopSession associateTCC

authenticate

authenticateExt

createView

adminEndSessions

adminCount

adminSearchEnd

adminSearchNext

adminSearchStart

Associate a user session with an existing SGD Client connection.

Authenticate a user session.

Authenticate a user session.

Create a new view of an existing user session.

End multiple user sessions.

Count the number of matching user sessions a search would return.

Release server resources for a given search.

Retrieve the next subset of search results.

Start a search, returning a subset of results.

ITarantellaUtility searchEnd

searchNext

searchStart

Release server resources for a given search.

Retrieve the next subset of search results.

Start a search, returning a subset of results.


Document/Literal SOAP Message Encoding

The SOAP message encoding format used for SGD web services has changed from RPC/Encoded to Document/Literal.

To list the SGD web services, go to http://server.example.com/axis/services, where server.example.com is the name of an SGD server. Click on the wsdl link to see the Web Services Description Language (WSDL) listing for an SGD web service.

The WSDL listings for the RPC/Encoded versions of the web services are still included on this page. Do not use the RPC/Encoded versions for developing your own applications. These versions of the web services will be deprecated in future releases.

Querying Device Data

The adminLookupSession operation now returns device information. You can use this operation to query the --scottarawdevicedata and --scottadeviceaccessibledata device data attributes.

The returned device information can be used as a diagnostic tool.

Flushing the Kerberos Cache

A new setting for the tarantella cache command enables you to refresh the current Kerberos configuration settings for an SGD server.

The new option, krb5config, is used as follows:


$ tarantella cache --flush krb5config

This setting enables you to update the Kerberos configuration for an SGD server without having to restart the server. This feature is used for Active Directory authentication only.

tem status Command

For users of the SGD Enhancement Module, a new command is available.

The tem status command provides status information for load balancing, UNIX platform audio, and client drive mapping services for the SGD array. The command lists the installed modules and indicates whether they are running or not.

SGD Client Does Not Assume Java Technology by Default

The SGD Client can be started from the command line using the tcc command on Microsoft Windows client platforms, or the ttatcc command on UNIX, Linux, or Mac OS X client platforms.

In this release, by default, when you start the SGD Client from the command line or in Integrated mode, the SGD Client assumes that the client device does not have Java technology enabled. A new -use-java argument for the tcc and ttatcc commands configures the SGD Client to use Java technology.

In previous releases, by default, the SGD Client assumed Java technology was enabled. A -no-java argument for the tcc and ttatcc commands was available to override this behavior. This argument has now been deprecated.

The available arguments for the tcc and ttatcc commands are described in the Sun Secure Global Desktop 4.4 Administration Guide.

SGD Client Logs Client Device Information

The SGD Client now logs information on client devices. Device access data and error messages are logged for printing, serial port, client drive mapping, audio and smart card devices.

The client device information is written to the SGD Client log file and is displayed on the Detailed Diagnostics page of the webtop.

Renamed Command Line Arguments

Several attributes have been renamed to give shorter attribute names. This prevents errors when typing these attributes on the command line.The following table lists the attribute names that have been renamed.


Attribute Name in Version 4.31 Attribute Name in Version 4.40
--tarantella-config-login-thirdparty-searchens --login-thirdparty-ens
--tarantella-config-login-thirdparty-allownonens --login-thirdparty-nonens
--tarantella-config-ldap-thirdpartyldapcandidate-useens --login-ldap-thirdparty-ens
--tarantella-config-ldap-thirdpartyldapcandidate-useprofile --login-ldap-thirdparty-profile
--tarantella-config-xpeconfig-timezonemapfile --xpe-tzmapfile

Windows NT Domain Attribute

The Windows NT Domain attribute has been renamed to Domain Name. This attribute specifies the domain to use for the application server authentication process.

The following objects have this attribute:

PDF Printers Renamed

The names of the SGD PDF printers have changed as shown in the following table.


Printer Name in Release 4.31 Printer Name in Release 4.4
Universal PDF Universal PDF Printer
Print to Local PDF File Universal PDF Viewer

Window Closure Warning

For application objects configured with a Window Type setting of Independent Window, a warning dialog is now shown when the application window is closed. The dialog prompts you to confirm that you want to end the application session.

SOCKS Proxy Removed From Client Profile

You can no longer configure SOCKS proxy servers using the SGD Client profile.

You can still configure SOCKS proxy servers using the array routing feature. Use the following command:


$ tarantella config edit \
--tarantella-config-array-netservice-proxy-routes \
"192.168.10.*:CTSOCKS:taurus.indigo‐insurance.com:8080"

With this configuration, clients with IP addresses beginning 192.168.10 connect using the SOCKS proxy server taurus.indigo-insurance.com on TCP port 8080.

Administration Tools Removed From The Administrator Webtop

The Object Manager, Array Manager, Session Manager, and Configuration Wizard administration tools are no longer displayed on the Administrator’s webtop. These administration tools have been replaced by a browser-based administration tool called the Administration Console. See SGD Administration Console for more details.

The Configuration Wizard is still included in the SGD distribution, as an example web application. To display the Configuration Wizard, go to http://server.example.com/sgd/admin/configmgr/index.jsp, where server.example.com is the name of an SGD server.

Session Manager is still included in the SGD distribution, as an example web application. To display Session Manager, go to http://server.example.com/sgd/admin/sessmgr/index.jsp, where server.example.com is the name of an SGD server.

Login Script Changes

The login scripts in the /install-dir/var/serverresources/expect directory have been rationalized. Some scripts have been renamed and others have been merged.

If you are using SecurID for application server authentication, objects now use the securid.exp script, rather than the securid/unix.exp script. For backward compatibility, a symbolic link now exists from securid/unix.exp to the new securid.exp script.

Enabling Input Methods for Locales

An input method (IM) is a program or operating system component that enables users to enter characters and symbols not found on their keyboard. On Microsoft Windows platforms, an IM is called an input method editor (IME).

When running applications, SGD enables an IM if either the TTA_PreferredLocale, TTA_HostLocale, or the LANG (from the application environment overrides) environment variables are set to a locale that requires an IM. The locales that require an IM are controlled by the IM_localeList variable, which is defined in the vars.exp login script.

By default, an IM is enabled for all Japanese, Korean, and Chinese locales. To enable an IM in other locales, you must edit vars.exp and add the locale to the IM_localeList variable.

SGD Client Termination Timeouts

If an application is terminated because the SGD Client exits unexpectedly, an additional value of 20 minutes is added to the following timeouts:


Changes in Version 4.31

This section describes the changes since the Sun Secure Global Desktop Software 4.30 release.

SecurID Authentication on Solaris x86 Platforms

In version 4.31, you can use SecurID authentication when SGD is installed on Solaris x86 platforms.

Support for Multiple SGD Servers in Integrated Mode

In version 4.30, it is possible to connect only to one SGD server when the SGD Client is in Integrated mode. In version 4.31, Integrated mode can be used with multiple SGD servers. In the desktop Start or Launch menu, a login link is available for each SGD server.

Array Routes

SGD has an array routes feature that enables you to configure server-side SOCKS proxy servers. You configure array routes with the following command:


$ tarantella config edit \ 
--tarantella-config-array-netservice-proxy-routes route...

Array routes are enhanced so that you can now configure a direct connection type. Use CTDIRECT as the connection type to specify the clients that can connect without using a proxy server.

The following is an example array route configuration:


$ tarantella config edit \ 
--tarantella-config-array-netservice-proxy-routes \
"192.168.5.*:CTDIRECT:" \
"192.168.10.*:CTSOCKS:taurus.indigo‐insurance.com:8080"

With this configuration, clients with IP addresses beginning 192.168.5 have a direct connection. Clients with IP addresses beginning 192.168.10 connect using the SOCKS proxy server taurus.indigo-insurance.com on TCP port 8080.

SGD Startup Scripts

In version 4.31, the startup scripts that ensure SGD services stop and start when an SGD server is rebooted are renamed and restructured. The *Tarantella and *TarantellaWebserver scripts are replaced by a single script named *sun.com‐sgd‐base. The *tem script for the SGD Enhancement Module is now named *sun.com‐sgd‐em.

Untrusted Initial Connection Message

The Untrusted Initial Connection warning message that displays when users first connect to an SGD server is enhanced. Users can now view the server’s security certificate from this message.

Windows Key Disabled

In version 4.31, the Windows key is disabled in SGD Windows Terminal Services sessions by default. The Windows key is honored in local Windows sessions only. To display the Windows Start menu in an SGD Terminal Services Session, press Alt+Home.

The SGD Terminal Services Client (ttatsc) now supports an additional -windowskey on|off option that enables you to enable support for the Windows key. You can specify this option with the Arguments for Protocol (--protoargs) attribute on the Windows application object.


Changes in Version 4.30

This section describes the changes since the Sun Secure Global Desktop Software 4.20 release.

Single Installable Package

Version 4.3 introduces a single package for installing SGD. When you install SGD, you install all the packages that previously had to be installed separately, including the font packages. The license keys installed in the array control the SGD components that can be used.

SSL Daemon Always Running

As the initial connection to SGD is now always secure, this means that the SGD SSL Daemon is always running even if SGD security services are not enabled.

User Preferences File on UNIX Platform, Linux, and Mac OS X Client Devices

In previous releases, a user preferences file was used to configure the SGD Client on UNIX platform, Linux, and Mac OS X client devices. With the introduction of profiles, this file is no longer used.

Window Close Action (--windowclose) Attribute

In previous releases, the Window Close Action (--windowclose) attribute was only available to X applications that were configured to display using client window management. The use of this attribute is extended to include X, Windows, and character applications that are configured to display using an independent window.

The change means that closing an independent window might end or suspend the application session. The default is to end the session.

Support for PAM for UNIX Platform User Authentication

SGD now supports Pluggable Authentication Modules (PAM) for UNIX platform user authentication. The change affects the following UNIX authentication mechanisms:

SGD uses PAM for user authentication, account operations and password operations.

When you install SGD on Linux platforms, Setup automatically creates PAM configuration entries for SGD by copying the current configuration for the passwd program and creating the /etc/pam.d/tarantella file. On Solaris OS platforms, you can add a new entry for SGD (tarantella) in the /etc/pam.conf file if required.

Using PAM gives SGD Administrators more flexibility and control over UNIX platform user authentication, for example by adding new login tests, account limits, or valid password checks.

PDF Printing

As a result of the changes introduced in this release to support PDF printing on UNIX platform, Linux, and Mac OS X client devices, the Display Adobe Reader Print dialog (--pdfprompt) attribute is removed.

This change means that when users print with the Universal PDF Printer printer on Windows clients, the print job is automatically sent to the client’s default printer. To be able to choose the client printer where a print job is sent, users must now select the Universal PDF Viewer printer.

Client Certificates for Active Directory Authentication

For Active Directory authentication, a Client Certificates checkbox is available in the Authentication Wizard. If Active Directory is configured to require a client certificate and you created and installed a client certificate for SGD, then you no longer need to configure the user name and password of a privileged user.

SGD Certificate Store

The password used for the SGD certificate store, /install‐dir/var/info/certs/sslkeystore, is no longer hard-coded to 123456. Instead, each store now has a random password, which is stored in /install‐dir/var/info/key. Use this password with the -storepass and -keypass options when using the keytool application.

Licensing

Version 4.2 contained the following changes to licensing:

If you upgrade from an earlier version, your existing product license keys are automatically converted and your existing Maintenance and Right to Upgrade license keys are deleted.

Application Connection Methods

From version 4.1, SGD no longer supports the rlogin and rcmd connection methods for starting applications. If you upgrade from an earlier version, you must change the connection method for any applications that use these methods.

Simultaneous Webtop Connections Attribute

From version 4.1, SGD uses a different attribute for the Maximum Simultaneous User Sessions setting (--tuning-maxconnections). If you upgrade from an earlier version, the default setting for this attribute is applied.

Mainframe (3270) Applications

From version 4.0, SGD uses a different emulator for mainframe (3270) applications. 3270 character and 3270 X application objects are no longer available and are replaced by a single 3270 application object. As the new 3270 application object has several new attributes, it is not possible to upgrade existing 3270 application objects. If you upgrade from an earlier version, your existing 3270 character and 3270 X applications are deleted when you upgrade. You must reconfigure these applications.