4.1. Windows Applications

This section describes how to configure Windows application objects.

This section includes the following topics:

4.1.1. Configuring Windows Application Objects

You use a Windows application object if you want to give a Microsoft Windows graphical application to users.

In the Administration Console, the configuration settings for Windows application objects are divided into the following tabs:

  • General tab – These settings control the name and the icon used when creating links for users

  • Launch tab – These settings control how the application is started and whether application sessions can be suspended and resumed

  • Presentation tab – These settings control how the application is displayed to users

  • Performance tab – These settings are used to optimize the performance of the application

  • Client Device tab – These settings control how the user's client device interacts with the application

The following table lists the most commonly used settings for configuring Windows application objects, and how to use them.

Attribute

Description

Name

The name that users see.

Icon

The icon that users see.

Application Command

The full path to the application that runs when users click the link.

The application must be installed in the same location on all application servers.

Leave this field blank if you want to run a Windows desktop session.

Arguments for Command

Any command-line arguments to use when starting the application.

SGD Remote Desktop Client

By default, the SGD Remote Desktop Client is used to run the application on the Microsoft Windows application server. SGD uses the Microsoft RDP protocol to connect to the application server. See Section 4.1.3, “Configuring Microsoft Windows Remote Desktop Services for Use With SGD”.

Domain Name

The Windows domain to use for the application server authentication process.

This can be left blank. The domain can also be configured on either the application server or the user profile. See also Section 4.7.3.3, “Windows Domains and the Password Cache”.

Number of Sessions

The number of instances of an application a user can run. The default is three.

Application Resumability

For how long the application is resumable. The following options are available:

  • Never – The application can never be resumed

  • During the User Session – The application keeps running and is resumable until the user logs out of SGD

  • General – The application keeps running for a time, controlled by the Timeout setting, after the user logs out of SGD, and can be resumed when the user next logs in

Window Type

How the application is displayed to the user.

Use Kiosk for full-screen desktop sessions. Selecting the Scale to Fit Window check box for the Window Size enables SGD to scale the application window to fit the client device display.

For Independent Window, you must specify a Height and Width for the Window Size or select the Client's Maximum Size check box.

Use Seamless Window mode to the application in the same way it displays on the Windows application server, regardless of the user's desktop environment. See Section 4.1.6, “Seamless Windows”.

Color Depth

The application's color depth.

See Section 4.1.3.13, “Color Depth” for more details.

Application Load Balancing

How SGD chooses the best application server to run the application.

See Section 7.2.3, “Application Load Balancing” for more details.

Hosting Application Servers tab

Use the Editable Assignments table to select the application servers, or group of application servers, that can run the application.

The application must be installed in the same location on all application servers

Assigned User Profiles tab

Use the Editable Assignments table to select the users that can see the application. Selecting Directory or Directory (light) objects enables you to give the application to many users at once. You can also use a Lightweight Directory Access Protocol (LDAP) directory to assign applications. See Section 3.2.2, “LDAP Assignments”.

In addition to this configuration, you can also configure the following:

4.1.2. Creating Windows Application Objects on the Command Line

On the command line, you create an Windows application object with the tarantella object new_windowsapp command. You can also create multiple Windows application objects at the same time with the tarantella object script command. See Section 3.1.5, “Populating the SGD Organizational Hierarchy Using a Batch Script”.

Windows application objects can only be created in the o=applications organizational hierarchy.

4.1.3. Configuring Microsoft Windows Remote Desktop Services for Use With SGD

Configuring a Windows application object enables you to use the features of Microsoft Windows Remote Desktop Services.

Note

Before Windows Server 2008 R2, Remote Desktop Services was called Terminal Services.

The Remote Desktop Services features supported by SGD and the application server platforms on which they are supported are listed in the Oracle Secure Global Desktop Platform Support and Release Notes for Release 4.7 available at http://www.oracle.com/technetwork/documentation/sgd-193668.html.

There are many possible configuration settings for Microsoft Windows Remote Desktop Services. For detailed information on configuring Remote Desktop Services, see your system documentation. To use Remote Desktop Services with SGD, the settings you might have to configure include the following:

Note

Changes to your Remote Desktop Services configuration only take effect for new Windows application sessions.

4.1.3.1. Authentication Settings

You must configure Windows Remote Desktop Services so that it does not prompt for a password when a user logs in.

By default, Windows Server 2003 or later does not prompt for passwords.

4.1.3.2. Session Resumability and Session Directory

With Windows Remote Desktop Services, users' sessions can continue to run following a connection loss.

If you are not using Session Directory, it is best to disable the session resumability feature on the Remote Desktop Session Host, and let SGD handle session resumability. This prevents the following potential problems:

  • Unnecessary use of resources on the application server

  • Users who share accounts on the application server might resume each other's Windows sessions.

  • After closing down an application using the window decoration, the Remote Desktop Services session might continue to run on the application server.

To disable the Remote Desktop Services session resumability feature, you must select End Session for the When Session Limit Is Reached Or Connection Is Broken option in Remote Desktop Session Host Configuration.

If you are using Session Directory to handle session resumability, you must select Suspend Session for the When Session Limit Is Reached Or Connection Is Broken option in Remote Desktop Session Host Configuration. To use Session Directory, you must also configure the Window Close Action attribute for Windows application objects to End Application Session.

4.1.3.3. Windows Printer Mapping

To support printing to client printers from a Windows Remote Desktop Services session, Windows printer mapping must be enabled. Windows printer mapping is enabled by default.

4.1.3.4. Drive Redirection

To support mapping of client drives in a Windows Remote Desktop Services session, drive redirection must be enabled. Drive redirection is enabled by default.

4.1.3.5. Encryption Level

You can only use the Low, Client-compatible, or High encryption levels with SGD. SGD does not support the Federal Information Processing Standards (FIPS) encryption level.

4.1.3.6. Multiple Remote Desktop Services Sessions

By default, a Microsoft Windows Server only allows users to start one Remote Desktop Services session. If a user starts another desktop session, or another instance of an application with the same arguments, the second Remote Desktop Services session grabs the first session and disconnects it. This means that it is not possible to start two desktop sessions, or two instances of the same application, on the same Windows Server.

On Microsoft Windows Server 2003 or later application servers, you can enable support for multiple Remote Desktop Services sessions.

4.1.3.7. Remote Desktop Users

For Microsoft Windows Server 2003 or later application servers, users can only use Remote Desktop Services if they are members of the Remote Desktop Users group.

4.1.3.8. Time Zone Redirection

Client computers can redirect their time zone settings to the Remote Desktop Session Host, so that users see the correct time for their time zone in their desktop or application sessions. Remote Desktop Services uses the server base time on the Remote Desktop Session Host and the client time zone information to calculate the time in the session. This feature is useful if you have client devices in different time zones. By default, this feature is disabled.

In the Administration Console, the Time Zone Map File attribute on the Global Settings → Client Device tab specifies a file that contains mappings between UNIX platform client device and Windows application server time zone names.

4.1.3.9. Audio Redirection

To play audio from a Windows Remote Desktop Services session, audio redirection must be enabled on the application server. By default, audio redirection is disabled.

4.1.3.10. Audio Recording Redirection

Audio recording redirection is supported for Microsoft Windows Server 2008 R2 and Microsoft Windows 7 application servers.

To record audio in a Windows Remote Desktop Services session, audio recording redirection must be enabled on the application server. By default, audio recording redirection is disabled.

To enable audio recording for Microsoft Windows 7 Enterprise application servers, you also need to add the following registry entry to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp key.

"fDisableAudioCapture"=dword:00000000

4.1.3.11. Smart Card Device Redirection

To use a smart card reader from a Windows Remote Desktop Services session, smart card device redirection must be enabled on the application server. By default, smart card device redirection is enabled.

4.1.3.12. COM Port Mapping

To access the serial ports on the client device from a Windows Remote Desktop Services session, COM port mapping must be enabled on the application server. By default, COM port mapping is disabled.

4.1.3.13. Color Depth

SGD supports 8-bit, 16-bit, 24-bit, and 32-bit color depths in a Windows Remote Desktop Services session.

32-bit color is available on Windows Server 2008, Windows Server 2008 R2, and Windows 7 platforms. For a 32-bit color depth, the client device must be capable of displaying 32-bit color.

15-bit color depths are not supported. If this color depth is specified on the Remote Desktop Session Host, SGD automatically adjusts the color depth to 8-bit.

4.1.3.14. Transport Layer Security

From Microsoft Windows Server 2003 and later, you can use Transport Layer Security (TLS) for server authentication, and to encrypt Remote Desktop Session Host communications.

4.1.3.15. Network Level Authentication

If the Remote Desktop Session Host supports Network Level Authentication (NLA) using CredSSP, you can use NLA for server authentication.

See Section 4.7.7, “Using Network Level Authentication for Windows Application Authentication” for more details about using NLA with Windows applications.

4.1.3.16. Remote Desktop Services Group Policies

For Windows Server 2003 and later, Remote Desktop Services settings can be configured using Group Policy, as follows:

  • Individual Windows Remote Desktop Session Hosts can be configured using a Local Group Policy Object (LGPO). In the Group Policy Object Editor for Windows Server 2008 R2, the Remote Desktop Services settings are at: Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\Remote Desktop .

  • Multiple Windows Remote Desktop Session Hosts can be configured using a Group Policy Object (GPO), linked to a domain or organizational unit (OU).

To improve performance, you might want to configure some or all of the following policies:

4.1.3.17. Keep Alive Configuration for Windows Remote Desktop Session Hosts

If you find that the connection between the SGD server and the Windows Remote Desktop Session Host is being dropped unexpectedly, you might need to configure the keep alive mechanism for the Windows Remote Desktop Session Host.

How to do this is described in Microsoft Knowledge Base article 216783.

4.1.4. Licensing Microsoft Windows Remote Desktop Services

SGD does not include licenses for Microsoft Windows Remote Desktop Services. If you access Remote Desktop Services functionality provided by Microsoft operating system products, you need to purchase additional licenses to use such products. Consult the license agreements for the Microsoft operating system products you are using to determine which licenses you must acquire.

Remote Desktop Services licensing is done using a client access license (CAL). A CAL is a license that allows a client to access the Windows Remote Desktop Session Host. Depending on the licensing mode, a client can be either a user, or a device, or a combination of both.

CALs for client devices that connect to the Remote Desktop Session Host are allocated in accordance with Microsoft policy. The location where CALs are stored on the client device varies according to the client platform.

Table 4.1, “Default Locations for Storing CALs on Client Devices shows the default storage location for CALs on each platform. On Linux, Oracle Solaris, and Mac OS X platforms, the default locations are created automatically when you install the SGD Client in a system-wide location, as described in Section 6.1.5.2, “System-Wide Installation”.

Table 4.1. Default Locations for Storing CALs on Client Devices

Client Platform

Default Location

Windows

Windows registry

Linux

/var/cache/osgd

Oracle Solaris

/var/cache/osgd

Mac OS X

/Users/Shared/Microsoft/Crucial RDC Server Information

Sun Ray

Sun Ray Datastore


On Linux, Oracle Solaris, and Mac OS X platforms, if the default location is not available CALs are stored to the user's $HOME/.tarantella directory.

For Linux, Oracle Solaris, and Mac OS X platforms you can override the default location by using the <calstorepath> entry in the <localsettings> section of the client profile, profile.xml on the client device. If the <localsettings> section is not present in the client profile, create a new section.

For example, use the following profile entry to set the location of the license storage location to /opt/cals:

       <localsettings>
         ...
        <calstorepath>/opt/cals/</calstorepath>
       </localsettings>

If the client device is shared by multiple users, ensure that the license storage location is writeable by all users. The default license locations meet this requirement.

See Section 4.9.21, “Troubleshooting Problems With CALs” for advice on troubleshooting issues with CALs when using SGD.

4.1.5. Microsoft Windows Remote Desktop Connection

Some editions of Microsoft Windows include a Remote Desktop Connection feature that enables you to access a computer using Microsoft RDP. You can use SGD and Remote Desktop Connection, for example, to give users access to their office PC when they are out of the office.

The supported platforms and features for Remote Desktop Connection are listed in the Oracle Secure Global Desktop Platform Support and Release Notes for Release 4.7 available at http://www.oracle.com/technetwork/documentation/sgd-193668.html.

Before introducing SGD, ensure that the Remote Desktop Connection link to the Microsoft Windows computer is working.

You configure SGD for use with Remote Desktop Connection as follows:

  • Create an application server object for each Microsoft Windows computer.

  • Create a Windows application object for the Windows desktop application.

    To ensure users access their own computer, you have to create separate Windows desktop application objects for each Microsoft Windows computer.

See Section 4.5.8, “Using My Desktop” for details of how to run a full-screen desktop session, without displaying the SGD webtop.

4.1.6. Seamless Windows

With seamless windows, the Microsoft Windows application server manages the display of the application. This means an application's windows behave in the same way as an application displayed on the application server, regardless of the user's desktop environment. The window can be resized, stacked, maximized, and minimized. The Windows Start Menu and Taskbar are not displayed when using seamless windows.

Seamless windows are not suitable for displaying Windows desktop sessions. Use a kiosk or independent window instead.

The following are the conditions for using seamless windows:

  • The SGD Enhancement Module for Windows must be installed on the application server.

  • The Windows application object must be configured with a Window Type of Seamless Window.

If any of the above conditions are not met, SGD displays the Windows application in an independent window instead.

4.1.6.1. Notes and Tips on Using Seamless Windows

The following are some notes and tips on displaying applications in seamless windows:

  • If an application is displayed in a seamless window, you can toggle between a seamless window and an independent window by pressing the Scroll Lock key.

  • Applications that have non-rectangular windows, for example, a media player with a customized skin, display in a rectangular window.

  • Some display modes may not be available for applications. For example, a media player is unable to minimize to the Taskbar. In Windows Media Player, this is called mini Player mode.

  • On Windows client devices, seamless windows are not affected by the Cascade, Tile Windows Horizontally, or Tile Windows Vertically window commands.

  • If a screen saver or the Windows Security dialog displays, the window automatically switches to an independent window. Unlocking the application automatically restores the window to a seamless window.

  • If a seamless window application is resumed on a display that is larger or smaller in size than the original session, the application is displayed in an independent window.

  • Each application displaying in a seamless window has its own RDP connection.

4.1.7. Key Handling for Windows Remote Desktop Services

You can configure how SGD handles keyboard presses on the client device in a Windows Remote Desktop Services session, as follows:

4.1.7.1. Supported Keyboard Shortcuts for Windows Remote Desktop Services

SGD supports the following keyboard shortcuts for Windows Remote Desktop Services sessions.

Keyboard Shortcut

Description

Ctrl+Alt+End

Displays the Windows Security dialog.

Alt+Page Up

Switches between windows, from left to right.

Alt+Page Down

Switches between windows, from right to left.

Alt+Insert

Cycles through windows, in the order they were opened.

Alt+End

Displays the Windows Start menu.

Alt+Delete

Displays the pop-up menu for the current window.

Ctrl+Alt+Minus

Use the Minus (-) key on the numeric keypad.

Places a snapshot of the active client window on the Windows Remote Desktop Session Host clipboard.

Provides the same functionality as pressing Alt+PrintScrn on a local computer.

Ctrl+Alt+Plus

Use the Plus (+) key on the numeric keypad.

Places a snapshot of the entire client window area on the Windows Remote Desktop Session Host clipboard.

Provides the same functionality as pressing PrintScrn on a local computer.

Alt+Ctrl+Shift+Space

Minimizes the active window. Only applies for kiosk mode.

4.1.7.2. The Windows Key and Window Management Keys

In SGD Windows Remote Desktop Services sessions, the Windows key and keyboard shortcuts for managing windows can be sent either to the remote session or acted on locally. By default, they are acted on locally.

For Windows applications objects that are configured to display in kiosk mode, the Window Management Keys (--remotewindowkeys) attribute controls keyboard shortcut behavior. To send the Windows key and window management keys to the remote session, do either of the following:

  • In the Administration Console, go to the Client Device tab for the Windows application object and select the Window Management Keys check box.

  • Use the following command:

    $ tarantella object edit --name obj --remotewindowkeys 1
    

If the Windows key and window management keys are sent to the remote session, use the key sequence Alt+Ctrl+Shift+Space to exit kiosk mode. This minimizes the kiosk session on the local desktop. Alternatively, to exit kiosk mode you can use the Kiosk Mode Escape (--allowkioskescape) attribute to enable a pull-down header for the application window. The pull-down header includes icons for minimizing and closing the kiosk session.

For Windows applications objects that are not configured to display in kiosk mode, you can force the Windows key to be sent to the remote session by using the -windowskey option for the SGD Remote Desktop Client. To send the Windows key to the remote session, do either of the following:

  • In the Administration Console, go to the Launch tab for the Windows application object and type -windowskey on in the Arguments field.

  • Use the following command:

    $ tarantella object edit --name obj --protoargs "-windowskey on"
    

4.1.8. Returning Client Device Information for Windows Remote Desktop Services Sessions

By default, when you run a Windows application through SGD using the Microsoft RDP protocol, the host name of the client device is returned in the %CLIENTNAME% environment variable for the Windows Remote Desktop Services session. When you use a Sun Ray Client device, the DTU ID is returned in the %CLIENTNAME% environment variable. The DTU ID is the hardware address of the Sun Ray Client.

The DTU ID can be used to specify the name of the client device in the wcpwts.exp login script. SGD uses this login script for all Windows applications that connect using the Microsoft RDP protocol.

4.1.9. The SGD Remote Desktop Client

The SGD Remote Desktop Client, also known as ttatsc, is a client program that handles the connection between the SGD server and the Windows Remote Desktop Session Host.

The syntax for running ttatsc from the command line is as follows:

ttatsc [-options..] server.example.com

where server.example.com is the name of a Windows Remote Desktop Session Host.

You can use the ttatsc to configure Windows Remote Desktop Services sessions in the following ways:

  • Configure attributes for the Windows application object. Some of the ttatsc command options are available as attributes for a Windows application object. These are indicated in the following table.

  • Configure the Arguments (--protoargs) attribute of the Windows application object. Using this attribute, you can specify ttatsc command options used for a Windows application object.

  • Edit the wcpwts.exp login script, and specify ttatsc command options. Any changes you make to this file are used for all Windows applications that connect using the Microsoft RDP protocol.

The following options are supported for the ttatsc command.

Option

Description

-application application

The application to run in the Remote Desktop Services session.

-audioquality low|medium|high

Sets the quality of the audio redirection.

-bulkcompression on|off

Enable or disable data compression for the connection.

-console

Instead of starting a normal Remote Desktop Services session, connect to a console session.

This option is available as the Console Mode (--console) attribute for a Windows application.

-crypt on|off

Configures encryption for the connection. The default setting, on, gives the best user experience.

-default depth

Whether to let the Remote Desktop Session Host set the default color depth of the X session.

-desktop

Whether to display a full screen desktop session.

-dir working_dir

Working directory for the Remote Desktop Services session. This can be overridden by the application.

This option is available as the Working Directory (--workingdir) attribute for a Windows application.

-display X display

The X display to connect to.

-domain domain

Domain on the Remote Desktop Session Host to authenticate against.

-keyboard language_tag

Input locale. Specify an RFC1766 language tag.

-name client name

Name of the client device.

-netbiosname name

NetBIOS name for the client device. This is used for the redirected printer names on the Remote Desktop Session Host.

-nla

Enables enhanced security when connecting to the Remote Desktop Session Host.

This option is available as the Enhanced Network Security (--enhancednetworksecurity) attribute for a Windows application

-noaudio

Disables audio redirection.

-noaudioin

Disables audio recording redirection.

-nofork

Do not run ttatsc as a background process.

-noprintprefs

Do not cache printer preferences.

This option is available as the Printer Preference Caching (--noprintprefs) attribute for a Windows application.

-opts file

Read command options from a file. See Section 4.1.9.1, “Using a Configuration File” for details.

-password password

Password for the Remote Desktop Services user.

-perf disable wallpaper|fullwindowdrag| menuanimations|theming|cursorshadow|cursorsettings

Disable display options, to improve performance. The available settings are:

  • wallpaper – Disable the desktop wallpaper. This option is available as the Desktop Wallpaper (--disablewallpaper) attribute for a Windows application.

  • fullwindowdrag – Disable the option to show window contents when moving a window. This option is available as the Full Window Drag (--disablefullwindowdrag) attribute for a Windows application.

  • menuanimations – Disable transition effects for menus and tooltips. This option is available as the Menu Animations (--disablemenuanimations) attribute for a Windows application.

  • theming – Disable desktop themes. This option is available as the Theming (--disabletheming) attribute for a Windows application.

  • cursorshadow – Disable the mouse pointer shadow. This option is available as the Cursor Shadow (--disablecursorshadow) attribute for a Windows application.

  • cursorsettings – Disable mouse pointer schemes and customization. This option is available as the Cursor Settings (--disablecursorsettings) attribute for a Windows application.

To disable multiple display options, use multiple -perf disable options.

-perf enable fontsmoothing

Turns on font smoothing for text on the desktop.

This option is available as the Font Smoothing (--enablefontsmoothing) attribute for a Windows application.

-port port

RDP port to connect to on the Remote Desktop Session Host. The default setting is 3389.

-printcommand command

This option is deprecated.

-remoteaudio

Leaves audio at the Remote Desktop Session Host.

This option is available as the Remote Audio (--remoteaudio) attribute for a Windows application.

-sharedcolor

Do not use a private color map.

-size width height

Display width and display height for the Remote Desktop Services session, in pixels.

-spoil

This option is deprecated.

-stdin

Read command options from standard input. Used by the login scripts to pass command options to ttatsc.

-storage data_dir

This option is deprecated.

-swmopts on|off

Enable local window hierarchy for applications that use seamless windows. Needed for some Borland applications.

-timeout connect secs

Timeout for connecting to the Remote Desktop Session Host, in seconds.

-timeout establish secs

Timeout for establishing an RDP connection, in seconds.

-uncompressed

This option is deprecated.

-user username

User name for the Remote Desktop Services user.

-windowskey on|off

Whether to enable or disable Windows key for the Remote Desktop Services session. The default setting is off.

4.1.9.1. Using a Configuration File

A configuration file is a text file containing the ttatsc command-line options to be used for the connection. Each option must be on a separate line without the leading dash (-). The argument and its value are separated by whitespace. Use either single or double quotes to enclose any literal whitespace.

The escape character is \.The following escape sequences are supported:

  • \n is a new line (0xA)

  • \r is a carriage return (0xD)

  • \t is a tab (0x9)

  • \\ is a literal \

  • \" is a literal double quote not used for delimiting quoted arguments

  • \'is a literal single quote not used for delimiting quoted arguments

The following is an example configuration file:

u "Indigo Jones"
p "Wh1teh4ll"
a "C:\\program files\\notepad.exe"
naples.example.com