Administration

C H A P T E R 4

Administration

The Sun Ray Windows Connector requires very little administration; however, administrators should be aware of the following issues, suggestions, and configuration instructions.

Compression and Encryption

Compression is enabled by default. It can be disabled on a per-connection basis with a CLI option. For example, to disable compression:

% /opt/SUNWuttsc/bin/uttsc -z <hostname.domain>

For encryption, the administrator needs to decide which of the available levels to use, after which the Windows Terminal Server can be configured accordingly.
(See Encryption.)

JDS Integration Package

The Sun Java trademark Desktop System (JDS) integration package for the Solaris Operating System delivers a CLI called uttscwrap, which improves integration of the Sun Ray Windows Connector with the JDS desktop on Solaris 10. The JDS integration package is included in the Supplemental folder of the Sun Ray Windows Connector software image.

uttscwrap provides a login dialog that allows input of credentials for password-based authentication (username/domain/password). The credentials can be saved through the dialog for subsequent invocations. At the next launch, the dialog is pre-filled with the credentials.

Note - uttscwrap is designed for credential caching for password-based authentication only. It cannot be used with smart card authentication.
For smart card authentication, please use the Sun Ray Windows Connector directly (/opt/SUNWuttsc/bin/uttsc).

Credentials are saved separately for each Windows server/application combination. This allows you to save different credentials the following ways:

For different applications on the same server

For different applications on different servers

For different server sessions with no applications launched

Any new credentials saved for a server/application replace previously saved credentials.

Use uttscwrap when desktop or menu launchers are defined to launch either Windows Terminal Services sessions or Windows applications on various Windows servers.

To launch the Sun Ray Windows Connector through uttscwrap, specify the same parameters on the uttscwrap command line as you would use on the uttsc command line.

Licensing

Licenses can be administered with the utlicenseadm CLI. Administrative functions for licenses include listing and deleting. See the utlicenseadm man page for details.

Microsoft Terminal Services licensing information is stored in the Sun Ray data store automatically upon Windows session startup, using the existing LDAP schema. No administrator setup or intervention is required.

Licensing Modes and Hotdesking

Terminal Server Client Access Licenses can be configured in two modes on the Windows Terminal Server: per-user and per-device. In per-user mode, the user’s hotdesking experience is virtually seamless. In per-device mode, however, to ensure correct TS-CAL license handling, users must re-authenticate every time they hotdesk to a different DTU.

The differences in the user’s hotdesking experience are summarized below.

Per-user Mode

The user logs into a Sun Ray session with a smart card and opens a connection to a Windows session.

1. The user removes the smart card and reinserts it in the same DTU.

2. The user removes the smart card and inserts it in a different DTU.

In both cases, the user is instantly reconnected to the existing Windows session, and other features and services are unaffected.

Per-device Mode

The user logs into a Sun Ray session with a smart card and opens a connection to a Windows session.

1. The user removes the smart card and reinserts it in the same DTU.

The user is instantly reconnected to the existing Windows session.

2. The user removes the smart card and inserts it in a different DTU.

The Windows login screen prompts the user for username and password, after which the user is reconnected to the existing Windows session. Other features and services are similarly affected. For example:

Windows Media Player stops playing audio/video file, although the application is still active on the Windows session.The user needs to replay the audio/video file.

Any serial port transfer is stopped.

However, all the command line options specified remain valid.

Note - The uttsc command provides a CLI option (-O) that can be used to prevent the Sun Ray Windows Connector from disconnecting upon detection of hotdesking events.

Caution - With the -Ooption, the Sun Ray Windows Connector does not disconnect/re-connect when a hotdesk event occurs, nor does it refresh licenses on different DTUs, instead using the original license granted upon connection to the first DTU. This may cause you inadvertently to violate your Microsoft Terminal Server license agreement. Since you have full responsibility for license compliance, be aware of the danger and use the -Ooption only with caution.

Load Balancing

Terminal services session load balancing is handled transparently by the Windows Terminal Server. For more detailed information, please refer to Microsoft documentation at:

http://www.microsoft.com/windowsserver2003/technologies/clustering/default.mspx

Proxy Daemon

On Solaris only, the Sun Ray Windows Connector uses a daemon process named uttscpd to act as a proxy for interactions with the Sun Ray data store. It uses port 7014 by default. A corresponding command, uttscrestart, allows the administrator to restart uttscpd.

At install time, the installer asks for a valid, existing UNIX group under which to install the proxy daemon and the Connector binaries. This group is used to establish a secure connection between the Connector and the proxy. The proxy validates and allows connections from a binary only if it belongs to this group.Do not use this group for any users or other components.

Note - Restarting the uttscpd daemon does not affect existing Sun Ray Windows Connector sessions.

Printing

The Sun Ray Windows Connector supports printing to:

network printers visible on the Windows server

network printers visible on the Sun Ray server

local printers attached to the Windows server

local printers attached to the Sun Ray server

local printers attached to the DTU

Note - Network printers are not affected by hotdesking. Printers connected to DTUs are available for printing from any DTU connected to the same Sun Ray server.

Printer Configuration Caching

The Sun Ray server maintains a cache, in the Sun Ray data store, of printer configurations that users set up on the Windows Terminal Server. The Sun Ray server presents the appropriate configuration to the Windows Terminal Server when a user reconnects using the Sun Ray Windows Connector.

The uttscprinteradm CLI helps administrators to maintain this information. It can be used to list the available information and to perform cleanup in case of user or printer deletion. See the uttscprinteradm man page for further information.

Setting Up Print Queues

Printer setup in Windows environments is beyond the scope of this document; however, printer setup requirements for Solaris and Linux are described below.

The Windows Terminal Server session is aware only of the print queues specified in the command line when the Sun Ray Windows Connector is started. To change print queues, restart the Sun Ray Windows Connector with the relevant print queues specified on the command line.

Note - These instructions pertain to raw print queues.^[1] Please consult your operating system documentation for instructions on setting up queues for PostScript drivers. See also the lp and lpadmin man pages.

Solaris Printing

To set up a raw print queue on a Sun Ray server running Solaris:

1. Specify the printer and printer device node using the lpadmin command.

# /usr/sbin/lpadmin -p <printer-name> -v \
/tmp/SUNWut/units/IEEE802.<mac-address>/dev/printers/<device node>

2. Enable the print queue.

# /usr/bin/enable <printer-name>

3. Accept the print queue.

# /usr/sbin/accept <printer-name>

Linux Printing

To set up a raw print queue on a Sun Ray server running any supported flavor of Linux:

1. Uncomment the following line from the /etc/cups/mime.convs file:

application/octet-stream        application/vnd.cups-raw        0 -

2. Uncomment the following line from the /etc/cups/mime.types file:

application/octet-stream

3. Restart the cups daemon.

# /etc/init.d/cups restart

4. Create a soft link to the Sun Ray printer node in /dev/usb.

For example, if the device node is
/tmp/SUNWut/units/IEEE802.<mac-address>/dev/printers/<device node>,
then use the following command:

# ln -s \/tmp/SUNWut/units/IEEE802.<mac-address>/dev/printers/<device node> \/dev/usb/sunray-printer

Use this soft link (/dev/usb/sunray-printer) as the Device URI while creating the print queue.

Note - It may be necessary to create the /dev/usb directory as well as to re-create the soft link after rebooting.

5. To complete the procedure, set up a raw print queue.

# /usr/sbin/lpadmin -p <printer-name> -E -v usb:/dev/usb/sunray-printer

6. To complete this procedure for SuSE Linux:

a. Update /etc/cups/cupsd.conf to set the RunAsUser property to No.

b. Restart the cups daemon.

# /etc/init.d/cups restart

Making Sun Ray Printers Available to Windows

To make Sun Ray-attached printers available to a Windows session, specify the corresponding raw Sun Ray print queues on the command line. Printer data is created on the Windows server, so it is important to specify the name of the printer’s Windows driver and install it on the Windows server. If you make a printer available without specifying a driver, the Sun Ray Windows Connector defaults to a PostScript driver.

Tip - To find the printer driver name, check the Windows Registry key
MyComputer/HKEY_LOCAL_MACHINE/System/CurrentControlSet/Control
/Print/Environments/Windows NT x86/Drivers/Version-3.
All printer drivers installed on the system appear on this list.

To specify a printer’s Windows driver, type:

% /opt/SUWuttsc/bin/uttsc -r printer:<printername>=<driver name> <hostname.domain>

To make a printer available without specifying a driver, type:

% /opt/SUWuttsc/bin/uttsc -r printer:<printername> <hostname.domain>

To make multiple printers available, type:

% /opt/SUWuttsc/bin/uttsc -r printer:<printer1>=<driver1>,<printer2>=<driver2> <hostname.domain>

Session Directory

The Session Directory feature requires no configuration or administration by the Sun Ray administrator. The Windows administrator has several configuration options, such as whether to allow users to connect to a Windows Terminal Server directly or through a load balancer; however, these options are beyond the scope of this document. Please refer to Microsoft documentation for details.

Smart Cards

In addition to normal Sun Ray smart card functionality, such as hotdesking, the Sun Ray Windows Connector enables additional smart card functionality, such as:

strong, two-factor authentication for access control

PIN-based logins

digital signing, encrypting, and decrypting of email messages from Windows-based email clients

For this purpose, it uses the Sun Ray PC/SC-lite framework on the Sun Ray server and smart card middleware on the Windows Terminal Server.

Smart card redirection is disabled by default. It can be enabled on a per-connection basis with the following CLI option:

% /opt/SUNWuttsc/bin/uttsc -r scard:on <hostname.domain>

To set up Smart Card login for Windows with the Sun Ray Windows Connector:

1. Set up Active Directory and Certification Authority (CA) on the Windows Server.

2. Install the PC/SC framework.

See the PC/SC-lite Release Notes for further details. They available for download from the Sun Download Center (SDLC).

3. Install Smart Card middleware product on the Windows Terminal Server.

Note - If you use ActivClient middleware, set “Disable PIN Obfuscation” to Yes through ActivClient user console on the Windows Server.

4. Enroll the necessary Certificate(s) onto the Smart Card, using either a Sun Ray Token Reader or an External Smart Card Reader connected to the Windows Server.

^{1 (Footnote) When a Solaris or Linux print queue is configured with a print driver, the lp utility sends print data to the driver for processing before redirecting it to the printer. When a print queue is configured without a driver, lp sends unprocessed, or raw data to the printer. A print queue configured without a printer driver is called a raw queue.}