14.5. How to Modify a Sun Ray Client's Local Configuration (Configuration GUI)

14.5.1. Security Configuration Repository
14.5.2. Configuration GUI Menu Descriptions
14.5.3. How to Load a Remote Configuration File

Sun Ray Software provides optional functionality to modify a Sun Ray Client's local configuration through a Graphical User Interface (GUI) tool. A Sun Ray Client's local configuration is checked first before using the configuration from the Sun Ray server, so this enables you to individually configure a Sun Ray Client's behavior at the local level.

Most of the firmware values are stored in the Sun Ray Client's flash memory. Certain control key combinations are used to invoke the Configuration GUI, which enables you to examine and set the local configuration values.

The Configuration GUI enables several features that require the ability to set and store configuration information on the Sun Ray Client itself, including:

The firmware server specified in a client's local configuration is the default server used to provide configuration information for download, such as certificate files, .pcf files, the .parms file, and configuration files.

14.5.1. Security Configuration Repository

A security configuration repository is provided in a Sun Ray Client's firmware to store specific configuration files and certificates/keys for features such as VPN or 802.1x authentication. You can copy files to a firmware's repository through the file copy entry in a remote configuration file. See Table 14.3, “Remote Configuration File Key Values” for details.

Files stored in the firmware's repository are typed by the directory in which they are placed. The current directories and types are:

  • 802.1x authentication

    • /certs - X509 certificate files

    • /keys - Public/private key files

    • /wpa - wpa_supplicant configuration files

  • IPsec

    • /ike/default.conf - IKE configuration file (racoon configuration file)

    • /preshared/keys - Pre-shared key file (used when authentication_method statement set to pre_shared_key)

  • VPN

    • /profiles - Cisco VPN configuration profiles (.pcf files)

In addition to the files that you copy to the firmware's repository, other files may be created by some configuration operations.

14.5.2. Configuration GUI Menu Descriptions

Table 14.1, “Configuration GUI Main Menu Items” and Table 14.2, “Configuration GUI Advanced Menu Items” provide descriptions for the Configuration GUI menu items.

  • Press one of the following key combinations on a Sun Ray Client to open the Configuration GUI and display the main menu:

    • Stop-S or Ctrl-Pause-S

    • Stop-M or Ctrl-Pause-M

Some of the menus have an Exit entry, but the Escape key always invokes one level higher than the current menu. Escape at the top level prompts for any changes to be saved or discarded. If changes have been written to the flash memory, the Escape key resets the Sun Ray Client.

Table 14.1. Configuration GUI Main Menu Items

Main Menu Item

Menu Item Descriptions

VPN Setup

Cisco EzVPN authentication model

  • Enable - On/Off

  • Import profile - Profile name

  • Peer type - Cisco or Netscreen (Juniper Networks)

  • Auth method - Xauth, Preshared, or Hybrid

  • Peer - Gateway peer (name or IP address)

  • Group - Group name

  • Set Group Key

  • Username - Xauth user name (if static)

  • Set Password - Xauth password (if static)

  • Set PIN - If the PIN has been set, the user is prompted for it before a locally stored Xauth user name and password are used.

  • Advanced

    • DH Group - Diffie-Hellman group

    • PFS Group

    • IKE Lifetime - IKE Phase 1 lifetime

    • IPsec Lifetime

    • Dead Peer Detection

    • Session timeout - Idle timeout, after which VPN connection is dropped

  • Save - Save the VPN configuration.

802.1x Configuration

  • Enable and initialize - Enables 802.1x authentication. If you choose this menu item and the wired.conf file does not exist. you are prompted to create the file in the Sun Ray Client firmware and the Sun Ray Client reboots if you accept. The reboot is required to complete the 802.1x initialization. After rebooting, choose Configure to add configuration values to the wired.conf file.

  • Disable - Disable 802.1x authentication. This menu item removes the wired.conf file from the Sun Ray Client firmware. The Sun Ray Client must reboot to complete the process.

  • Configure - Provides a list of configuration values that can be changed in the wired.conf file.

    All string values, including file names, need to be enclosed in double quotes, otherwise, they will be parsed as hexadecimal strings. You can specify NULL (without quotes) in a field to represent a variable that has no value and causes a value to be cleared. Selections for file names (keys or certificates) are displayed as a list of the available files of the correct type from the corresponding directories, including the NULL selection.

    The full description of these values are provided in the wpa_supplicant example configuration file.

    • ssid - SSID (network name). This value is fixed as "wired" and it cannot be changed.

    • key_mgmt - List of accepted authentication protocols. Values include NONE (no authentication) or IEEE8021X (perform 802.1x using EAP authentication).

    • eap - List of acceptable Extended Authentication Protocol (EAP) methods. Only one value can be specified. Values include MD5, TLS, MSCHAPV2, PEAP, TTLS, GTC, and OTP.

    • ca_cert - File path to the certificate file in the /certs directory, with one or more trusted CA certificates, used for EAP-TLS/TTLS/PEAP.

    • anonymous_identity - Anonymous identity string for EAP that supports a different tunneled identity, such as EAP-TTLS and EAP-PEAP. If this is defined, it is used as the initial EAP identity, and "identity" is used in any phase 2 protocol.

    • identity - Identity string for EAP

    • password - Password string for EAP.

    • private_key - File path to the client private key file in the /keys directory. (No private_key_passwd needs to be defined, as the private key is stored in the Sun Ray Client flash memory that cannot be accessed.)

    • client_cert - File path to a client certificate file in the /certs directory, for example, for EAP-TLS.

    • phase2 - Inner authentication parameters. This field enables you to specify the internal authentication mode for EAP-PEAP or EAP-TTLS. Example values include "auth=xxx" or "autheap=xxx", where xxx is the selected inner authentication mode. If this value is not set, then any available authentication mode is allowed.

    • ca_cert2 - File path to certificate file in the /certs directory for use in phase 2 authentication.

    • private_key2 - File path to client private key file in the /keys directory for use in phase 2 authentication.

    • client_cert2 - File path to client certificate file in the /certs directory for use in phase 2 authentication.

Note: A certificate with a passphrase is not supported.

VPN Profiles

  • Download Profile File

  • Remove Profile File

  • Show Profiles

  • Clear All Profile Files

Certificates

  • Download Certificate File

  • Remove Certificate File

  • Show Certificates

  • Clear All Certificate Files

Note: A certificate with a passphrase is not supported.

Servers

  • Server list - A list of comma-separated server names or IP addresses

  • Firmware server - Name or IP address

    [{tftp|http}://]server-name-or-IP
    

    Trivial File Transfer Protocol (TFTP) is the default transport and server-name-or-IP specifies the default server used to provide configuration information for download, including certificate files, .pcf files, .parms file, firmware, and configuration files.

    When using TFTP, the files must be accessible from the server's TFTP home directory. When using HTTP, the files must be located in or linked to the web server's document directory.

  • Log host - IP address of syslog host

Network

  • Network configuration - IPv4 (default) or IPv6

TCP/IP

  • Auto (available for IPv6)

  • DHCP - MTU (available for IPv4)

  • Static - IP address, netmask, router, broadcast address, MTU (IPv4) or IP address, Prefix Length, Router, MTU (IPv6)

DNS

  • Domain name - One only

  • DNS server list - List of IP addresses

Authentication

Set if network connection requires a simple HTTP authentication before it can be used.

  • Enable/Disable switch

  • Port number

Security

Set password (lock configuration under password control)

Status

Version (equivalent to Stop-V)

Advanced

See below.

Clear Configuration

Equivalent to Stop-C.

Exit

Exit the Configuration GUI.


Table 14.2. Configuration GUI Advanced Menu Items

Main Menu Item

Description

Download Configuration

Prompts for a server name and the file name of a remote configuration file to be downloaded from the server, in the form:

[{tftp|http}://][server-name-or-IP/]file-name

This field can be overwritten when selected. Pressing Return causes the corresponding remote configuration file to be read and the configuration values parsed and set on the client. For configuration values, see Table 14.3, “Remote Configuration File Key Values”.

The default transport used is TFTP and the default port is the corresponding port for the transport, 69 for TFTP and 80 for HTTP. The default server is the firmware server value in the local configuration (if server-name-or-IP is not defined) and the default file name is config.MAC, where MAC is the unit's MAC address in upper-case hexadecimal.

When using TFTP, the remote configuration file must be accessible from the server's TFTP home directory. When using HTTP, the remote configuration file must be located in or linked to the web server's document directory.

Keyboard Country Code

A keyboard country code (keyboard map) that is applied to a keyboard that returns a country code of 0, for use with non-U.S. USB keyboards that do not report a country code. For the list of valid keyboard country code values, see Section 13.2.10, “Keyboard Country Codes”.

Bandwidth Limit

The maximum amount of network bandwidth in bits per second that a given client will use.

Session Disconnect (Stop-Q)

Enables or disables the ability to terminate a session by pressing Stop-Q. This feature is useful when you want to terminate a VPN connection and leave the Sun Ray in an inactive state. Pressing the Escape key after the session has terminated reboots the Sun Ray Client.

Force Compression

Sets a tag sent from the Sun Ray Client to the Xserver telling it to enable compression regardless of available bandwidth.

Lossless Compression

Disables the use of lossy compression for image data.

Disallow utload

Disables the ability to explicitly force a firmware load into a Sun Ray Client. In this way, firmware can be tightly controlled using .parms files or DHCP parameters.

Force Full Duplex

Allows the Sun Ray Client to operate correctly when the network port that it is connected to does not auto-negotiate. In that case, the auto-negotiation results in the Sun Ray running at half duplex, which significantly impacts network performance. This setting allows the Sun Ray to operate with better performance in this situation.

Enable Fast Download

If set, the Sun Ray Client uses the maximum TFTP transfer size if the TFTP server supports it. Over a high latency connection, this setting typically doubles the speed of firmware downloads. There are no disadvantages to enabling fast downloads on low latency LANs.

This parameter is disabled by default and the transfer size is set at 512-byte packets. It is disabled by default for backwards compatibility with TFTP servers that might not support the more advanced protocol. If this parameter were on by default and a firmware download were to fail, there would be no way to recover.

Power Off Timer

Energy star power off feature for Sun Ray 3 Series Clients. The value for the power off feature is in minutes. The default power off time is 30 minutes. A value of 0 disables the power off feature.

Enter Alternate STOP modifiers

Specifies an alternative combination of modifier keys to perform the same function as the Stop key on an Oracle keyboard or the Ctrl-Pause key sequence on a non-Oracle keyboard. By default, this alternative combination is Ctrl-Shift-Alt-Meta. See Section 13.2.2, “Sun Ray Client Hot Keys” for details.

You can change Ctrl-Shift-Alt-Meta to any other combination of the same keys, but at least two of the keys must be used. For example, you can set this value to Ctrl-Alt or Meta-Ctrl-Shift.

If this parameter is set to none, the alternative key combination is disabled.

Note that the Meta key has different names on different keyboards: on a PC keyboard, it is the "Windows" key, and on a Mac keyboard, it is the "Command" key.

Command Cache Size

Specifies the size, in Kbytes, of the command cache look-back buffer. This area is used to store a list of recent commands used by the firmware, and the commands are replayed from the cache if used again. The default value is 512 Kbytes, maximum value is 8192 Kbytes, and a zero value disables the command cache.

Video

  • Blanking - Specifies the blanking timeout, which is the time until the screen is put to sleep, in minutes. Specify 0 to disable.

Video input disable

Sun Ray 270 Client only. If set, turns off the input selector on the front of the client and locks the monitor so that it displays only the Sun Ray output. This feature prevents users from connecting a PC to the VGA video input connector on a client and using it as a monitor.


14.5.3. How to Load a Remote Configuration File

To help avoid error-prone manual entry of local configuration data or to help configure a lot of Sun Ray Clients more quickly, you can use the Download Configuration menu item to download a pre-defined remote configuration file from a server via TFTP or HTTP.

The keywords shown in Table 14.3, “Remote Configuration File Key Values” correspond to configuration values that can be set from the Configuration GUI menus. To group items that are logically related, some of the keywords take the form family.field.

Table 14.3. Remote Configuration File Key Values

Key Values

Description

target-file-path=file-to-copy (file copy entry)

You can copy configuration files and certificates/keys to the firmware's security configuration repository by using a file copy entry. A file copy entry follows the normal key=value format, except the key used is the absolute path name of the target file and it must begin with a "/" character. The value used is the configuration file to be copied, which needs to be located in the same location as the remote configuration file. You can use the file copy entries for both VPN and wpa_supplicant configuration files.

For example, the file copy entry /wpa/wired.conf=wired_config will copy the file wired_config from the configuration server to the /wpa/wired.conf file on the Sun Ray Client. Once you add all the necessary file copy entries, you can choose Advanced > Download Configuration in the Configuration GUI to download the remote configuration file and copy the files specified. See Section 14.5.1, “Security Configuration Repository” for more information.

VPN/IPsec Submenu

vpn.enabled

Enable toggle

vpn.peer

Remote gateway name/IP address

vpn.group

VPN group

vpn.key

VPN key

vpn.user

Xauth user

vpn.passwd

Xauth password

vpn.pin

PIN lock for use of user/passwd

vpn.peertype

Cisco or Netscreen

vpn.authtype

Xauth, Preshared, or Hybrid

vpn.dhgroup

Diffie-Hellman group to use

vpn.pfsgroup

PFS group to use

vpn.lifetime

Lifetime of IKE connection

vpn.ipsectime

Lifetime of IPsec connection

vpn.dpdswitch

Dead peer detection

vpn.killtime

Idle timeout value to drop VPN connection.

DNS Submenu

 

dns.domain

Domain name

dns.servers

Server list (comma-separated IP addresses)

Servers Submenu

servers

Sun Ray server

tftpserver

Firmware (TFTP) server

loghost

Syslog host

Security Submenu

password

Set administrator password

Network Submenu

network

Type of network (IPv4 or IPv6)

TCP/IP Submenu

ip.ip

Static IPv4 address

ip.mask

Static netmask

ip.bcast

Static broadcast address

ip.router

Static router

ip.mtu

MTU

ip.type

IP address source (DHCP or Static)

TCP/IPv6 Submenu

ip.ip6

Static IPv6 address

ip.prefix

Static IPv6 prefix

ip.router

Static router

ip.mtu

MTU

ip.type

IP address source (Auto or Static)

Advanced Submenu

kbcountry

Keyboard country code

bandwidth

Bandwidth limit in bits per second.

stopqon

Enable (1) or Disable (0) Stop-Q for disconnect

compress

Force compression on when 1

lossless

Force use of lossless compression when 1

utloadoff

Disallow use of utload to force firmware download when 1

fastload

Force maximum TFTP transfer rate when 1

fulldup

Force full-duplex when 1

poweroff

Poweroff time in minutes

stopkeys

Change alternate combination of keys used for Stop key

cmdcachesize

Command cache size

videoindisable

Disable input selector of Sun Ray 270 Client when 1


The format of the file is a set of key=value lines, each terminated by a newline character, which are parsed and the corresponding configuration items set (see the sample file below). No whitespace is permitted. Key values are case-sensitive and should be always lower case, as listed above. Setting a keyword to have a null value results in the configuration value being cleared in the local configuration.

14.5.3.1. Sample VPN Configuration File

vpn.enabled=1
vpn.peer=vpn-gateway.company.com
vpn.group=homesunray
vpn.key=abcabcabc
vpn.user=johndoe
vpn.passwd=xyzxyzxyxzy
dns.domain=company.com
tftpserver=config-server.company.com
servers=sunray3,sunray4,sunray2