3270 Application object

An SGD object that represents a 3270 protocol application running on a mainframe host. 3270 Application objects have a cn= naming attribute.

5250 Application object

An SGD object that represents a 5250 protocol application running on an AS/400 host. 5250 Application objects have a cn= naming attribute.


Active Directory

Microsoft's implementation of LDAP directory services. Used to store information about the resources, services, and users across a Windows domain.

Active Directory Container object

An SGD object used to represent an Active Directory structure within the SGD organizational hierarchy. Active Directory Container objects have a cn= naming attribute.

advanced load balancing

Load balancing algorithms that measure the true load on application servers, using information provided by the SGD Enhancement Module.


Adaptive Internet Protocol. A proprietary protocol used by SGD software components. AIP optimizes the user experience by choosing the most efficient ways to transfer application display data and user input between client devices and SGD servers.


Advanced Linux Sound Architecture.

ambiguous login

The situation where an authentication mechanism has found more than one match for a user and cannot distinguish between them without further information from the user.

anonymous user authentication

An authentication mechanism where users can log in to SGD without supplying a user name or password. Anonymous user authentication is disabled by default.


American National Standards Institute.


Application programming interface.


A software program running in a web browser.

application launch dialog

Dialog shown when a user clicks a workspace link to start an application.

application load balancing

The mechanism that determines which application server runs a user's application.

application server

A networked device, such as a Windows server or Linux server, configured to run applications. Application servers are represented in the SGD datastore by an Application Server object.

Application Server object

An SGD object that represents an application server used to run applications through SGD. Application Server objects have a cn= naming attribute.

application server password cache

A secure store of application server user names and passwords associated with user identities. Maintained so that application server authentication can proceed without prompting the user. Also called the password cache.

application session

An application session begins when a user starts an application, and ends when the application exits. Information about an application session is stored in memory by the SGD server. Each application session is associated with a Protocol Engine.

application session load balancing

The mechanism that determines which SGD server in the array manages the application session, and runs the Protocol Engine for a user's application.


A collection of SGD servers that share configuration information. The SGD servers in an array act together to enable users to see the same webtop, and resume their applications, whatever SGD server they log in to. Arrays of SGD servers provide scalability and redundancy.

array route

Configures SOCKS proxy server usage, depending on the IP address of the client device.

Assignment Type

A field in the Administration Console that indicates the origin of an object link. Assignment Types can be Direct, Indirect, or Multiple. See also direct assignment, indirect assignment, multiple assignment.

ATR string

Automatic Terminal Recognition string. A sequence of bytes used to identify a smart card.


A named property of an object. Attributes may have zero or more values, as defined by the schema.

attribute map

A file that defines how character attributes, such as bold and underline, are displayed in an SGD terminal emulator.


batch scripting

The ability to perform more than one SGD related task with a single instance of a tarantella command.

billing service

An SGD service that logs user session and application session information for an SGD server or an array of SGD servers.



See Certificate Authority.

CA certificate

See root certificate.


Client Access License. Used by Microsoft Windows Terminal Services.


Common Desktop Environment. A graphical user interface for UNIX desktops.


See client drive mapping.

Certificate Authority

A trusted issuer of SSL certificates.

Certificate Signing Request

Information supplied to a Certificate Authority, that is used to verify identity and generate an SSL certificate.


Common Gateway Interface. A specification for interfacing external applications with a web server.

Character Application object

An SGD object that represents a VT420, Wyse 60, or SCO Console application. Character Application objects have a cn= naming attribute.


In cryptography, an algorithm for performing encryption and decryption.

client device

A networked device, such as a Windows PC or Linux workstation, used to access an SGD server.

client drive mapping

Enables users to access some or all of their client's drives, from an application running on an application server.

client profile

Settings for the SGD Client, including server URL, proxy settings, and mode of operation. The client profile is downloaded to the client device when a user connects to an SGD server.


See common name.

color map

SGD terminal emulators support a palette of 16 colors. The color map is a file that defines the RGB values of these colors.

COM port

A serial port, in a Microsoft Windows environment.

common name

A name used to identify an entry in an LDAP directory. For example, the name of a person.

Configuration Wizard

A tool for SGD Administrators, useful for quickly adding new objects to an existing hierarchy, rather than creating a new hierarchy.


A short packet of data, used as an identification token. Some cookies are encrypted, to prevent forgery.


Central processing unit.


See Certificate Signing Request.


Common UNIX Printing System.



A service process on UNIX platform operating systems that runs in the background, rather than under the direct control of a user.

data replication

The process where SGD system data is copied from the primary server in an SGD array to the secondary servers in the SGD array.


The sum of all the information used by the various components of SGD, including information about application servers and users on the network, user session and application session information, and organizational information. Organized into namespaces, such as _ens and _dns.


Definite Encoding Rules. A cryptographic format used for storing SSL certificate keys.


Data Encryption Standard. A cryptographic cipher.

desktop workspace

Workspace shown when a user logs in to SGD from a desktop computer. This workspace uses an JSP page to display and run applications.

digital signature

Information encrypted with a user's private key and appended to a message to ensure the authenticity of the message. The digital signature can be verified using the user's public key. See also public key cryptography.

direct assignment

In the Administration Console, a one-to-one object link created using the Editable Assignments table. See also editable assignment.

Directory (light) object

A container object in SGD, similar to an Organization object, but does not include SGD-specific attributes or allow you to assign applications. Examples include a Domain Component object and an Active Directory Container object.

directory services

Services that store and manage the resources and users on a network. SGD uses the principles of directory services for object storage and management.

Directory Services Integration

The ability to define workspaces for users without requiring User Profile objects for those users in the SGD datastore. Instead, user information is kept in an external LDAP directory. Application objects in the SGD datastore define which LDAP users can see them on their workspace.


The process of resolving an ambiguous login.

Display Engine

An SGD software component that runs on a client device. Display Engines display applications to users and accept user input. They use AIP to communicate with Protocol Engines on SGD servers.

distinguished name

The name that uniquely identifies an entry in an LDAP directory.

distributed printing

Where print jobs are distributed across the array, avoiding bottlenecks and single points of failure. A user's print jobs are processed on the SGD server hosting the application session for the application you want to print from.


See distinguished name.


Domain Name System.

DNS name

A unique name for a computer on a network, for example,

Document object

An SGD object that represents a document on the web. Documents can be any URL, including OpenOffice documents, or Adobe Acrobat files. A Document object can also refer to a web application. Document objects have a cn= naming attribute.

Domain Component object

An SGD object used to replicate a directory structure, usually a Microsoft Active Directory structure, within the SGD organizational hierarchy. Domain Component objects have a dc= naming attribute.

domain controller

See Windows domain controller.


See Directory Services Integration.


editable assignment

In the Administration Console, a one-to-one object link that can be edited by an SGD Administrator. See also direct assignment.

effective assignments

In the Administration Console, a summary of the object links for the current object. Effective assignments can include both direct assignments and indirect assignments.

Enhancement Module

An optional SGD software component installed on an application server to provide additional SGD functionality, such as client drive mapping, audio, and advanced load balancing.

environment variables

A set of system configuration values that can be accessed by a running program.


Enlightened Sound Daemon. A sound server for UNIX and Linux platforms that enables mixing of several digitized audio streams for playback by a single device.


See ESD.


Execution Protocol Engine.


An extension to the Tcl scripting language, typically used for interactive applications. The SGD login scripts are written in the Expect language.

external DNS name

The name by which an SGD server is known to a client device. An SGD server can have multiple external DNS names.



A short sequence of bytes used to authenticate or look up a public key.


Federal Information Processing Standards. Standards developed by the United States Federal government for use by non-military government agencies and government contractors.

firewall traversal

Running SGD through a single open firewall port between client devices and SGD servers. Also known as firewall forwarding.

font server

A program that makes fonts on a host available on a network.

forced authentication

When SGD prompts for a user name or password, by displaying an authentication dialog. For example, if a user holds down the Shift key when they click an application's link on the workspace.


See fully qualified domain name.

fully qualified domain name

The full name of a system, containing its hostname and its domain name. For example,, where boston is the hostname of a server, and is the domain name.

fully qualified name

An unambiguous name used to specify an SGD object. For example, .../_ens/o=organization/ou=marketing/cn=Indigo Jones, specifies a User Profile object in SGD.


Global Administrators

A role object in the Tarantella System Objects organization, used to assign administrative privileges to users.

global catalog

A domain controller that contains attributes for every object in the Active Directory.

Group object

An SGD object that represents a collection of applications or application servers. Each application or application server in the group is called a member. Group objects have a cn= naming attribute.



Hypertext Markup Language. A document format used for web pages.


Hypertext Transfer Protocol.


Hypertext Transfer Protocol over Secure Sockets Layer.





Internet Assigned Numbers Authority. Organization that allocates and manages IP addresses, domain names, and port numbers used by the Internet.


Independent Computing Architecture. A protocol used by Citrix Presentation Server to communicate with client devices.


See input method.


Input method editor. See input method.

indirect assignment

In the Administration Console, an object link created by an LDAP search or by inheritance from another object.


The ability to define workspace content implicitly. Content is usually inherited from the parent object, but other objects can also be used.

input method

A program that enable users to enter characters or symbols not found on their keyboard. On Microsoft Windows platforms, an IM is called an input method editor (IME).

IP address

Internet Protocol address. A unique 32-bit numeric identifier for a computer on a network.



Java Archive.


Java Development Kit.


Java Desktop System.


Java Runtime Environment.


JavaServer Page.

JSP container

A web server component that handles requests for JSP pages. SGD uses the Tomcat JSP container.


Java Secure Socket Extension. An implementation of SSL using Java technology.


Java Virtual Machine.



Key Distribution Center. Used by Kerberos authentication as part of the Active Directory authentication mechanism.


K Desktop Environment. An open source graphical user interface for UNIX and Linux platforms.


An authentication system used for Active Directory authentication.

keyboard map

A file that contains mapping information between keys on the user's client keyboard and keys on a terminal. Used with SGD terminal emulators.


A database of cryptographic keys. A keystore can contain both public keys and private keys.

kiosk mode

SGD display mode where an application is displayed full-screen.



Lightweight Directory Access Protocol.

LDAP directory

A set of LDAP objects organized in a logical and hierarchical manner.

LDAP search filter

An RFC2254-compliant search filter, used to select objects in an LDAP directory.


An RFC1959-compliant URL, used to select objects in an LDAP directory.


Lightweight Directory Access Protocol over SSL. Used for secure connections to an LDAP directory.

load balancing groups

The mechanism that delivers the best possible user experience by choosing SGD servers and application servers linked by a fast network where possible.

local repository

A store containing information about users, applications, workspaces, and application servers. Stored on the primary SGD server and replicated to other SGD servers in the array. Corresponds to the _ens namespace in the SGD datastore. Can be managed using the Administration Console or the tarantella commands.


A set of parameters that defines the user's language, country, and other location-specific preferences.

log filter

A string used to configure error reporting to the SGD log files.

login script

A script that runs on the SGD server when a user starts an application. Connects to the application server, supplies authentication credentials for that server, and starts the application.


Line Printer Daemon. A printing protocol used to provide print server functions to a UNIX or Linux platform system. Also known as LPR.


Line Printer Remote. See also LPD.



A constituent of a group or a role. In SGD, Group objects and Role objects contain one or more member objects. These are usually Application objects, User Profile objects, or Application Server objects.

multiple assignment

In the Administration Console, an object link that has both direct assignment and indirect assignment sources. See also Assignment Type.


MultiplePlexing Protocol.

My Desktop

A feature of SGD that enables users to log in and display a full-screen desktop, without displaying an SGD workspace.


NetBIOS name

An identifier for a computer running Microsoft Windows. The NetBIOS name can be specified when Windows networking is installed or configured on the computer.


Network File System.


Network Interface Card, also called a network adapter card.


Network Level Authentication. A network authentication protocol for authenticating to a Remote Desktop Session Host. NLA provides enhanced security by authenticating the user before establishing the connection to the host.


Network Time Protocol.



A self-contained entity, defined by a number of attributes and values. SGD objects have different types, such as X Application or Character Application. The available attributes for each type are defined by a schema.

Organization object

An SGD object used to represent the top level of an organizational hierarchy. Organization objects can contain OU or User Profile objects. Organization objects have an o= naming attribute.

organizational hierarchy

The collection of objects in the SGD datastore, descending from one or more Organization or Domain Component objects. Represents the collection of people, application servers, and applications within an organization.

Organizational Unit object

An SGD object used to distinguish different departments, sites, or teams in an organizational hierarchy. Organizational Unit (OU) objects can be contained in an Organization or Domain Component object. Organizational Unit objects have an ou= naming attribute.


Open Sound System. A standard interface for audio recording and reproduction in UNIX platform operating systems


See Organizational Unit object.



Pluggable Authentication Modules.


In SecurID authentication, the combination of the PIN and the tokencode.

password cache

Short form of application server password cache.


Personal Computer/Smart Card. A standard for interoperability of PCs, smart card readers, and smart cards.


Printer Command Language.


Pulse Code Modulation.


Portable Document Format.

PDF printing

An SGD feature available for client devices with Adobe Reader software installed. Enables users to print to a PDF printer from their application, which either displays the file or prints using the Adobe Reader program on their client device.

peer DNS name

The name by which an SGD server is known to other SGD servers in the same array.


Privacy-Enhanced Mail. Protocol based on public key cryptography.


Code supplied to a SecurID device using a key pad. Combined with a tokencode to form a passcode.


Public Key Cryptography Standards. Specifications produced by RSA Laboratories for public key cryptography.


Public Key Infrastructure. A security infrastructure based on public key cryptography.

primary server

The SGD server that acts as the authoritative source for global information, and maintains the definitive copy of the SGD datastore.

print queue

A number of print jobs placed in a storage area on disk.

private key

In public key cryptography, a key that is only know by the recipient of a message. The private key can be used to decrypt messages and to create digital signatures.

Protocol Engine

An SGD software component that runs on an SGD server. Protocol Engines emulate native protocols such as X11 and RDP and communicate with application servers, sending display data using AIP to Display Engines on client devices. See also application session.

proxy server

A server that acts as an intermediary between a client device and the Internet. The proxy server can provide access control and web request caching services.

public key

In public key cryptography, a key that can be distributed to anyone. The public key can be used to encrypt messages and to verify digital signatures.

public key cryptography

A cryptographic system using a pair of keys, a public key and a private key. The public key is used to encrypt messages and the private key is used to decrypt messages.


A network sound server for UNIX and Linux platforms.



Random access memory.


Resize, Rotate, and Reflect Extension. An X extension used by SGD for multi-monitor support and dynamic resizing of application sessions.


See relative distinguished name.


Remote Desktop Protocol. Protocol that allows a user to connect to a computer running Windows Terminal Services.

RDP printing

Another name for SGD printing from application servers using Windows Terminal Services.


Microsoft Windows registry. On Windows client devices, a database of settings for the operating system.

relative distinguished name

In an LDAP directory, the part of a distinguished name that uniquely identifies a child entry for a common parent entry.

Remote Desktop Services

Microsoft Windows software that enables client devices to run applications and access data on a networked Windows server. From Windows Server 2008 R2, Remote Desktop Services is the name for Terminal Services.


A store containing user information.


The attribute of an application session that controls its lifetime. Defined on a per-application basis by an SGD Administrator, as either never resumable, resumable during the user session, or always resumable. See also resume and suspend.


To redisplay an application session that has been suspended. See also suspend.

RGB value

Defines a color in the RGB color model. The amount of red, green, and blue in the color are indicated by a value from 0 to 255.

roaming profiles

A feature of SGD that provides Microsoft Windows users with the same working environment, no matter which Microsoft Windows computer they use.

Role object

An object that defines the members and applications associated with a particular role in SGD. Currently, only one role is available, Global Administrators. This role defines the SGD Administrators.

root certificate

A self-signed certificate issued by a root level Certificate Authority.



Software that enables a UNIX or Linux platform server to act as a file server for Windows client devices. Uses a variant of the SMB file sharing protocol.


Solaris Card Framework.

seamless windows

An SGD window display mode used for Windows applications. Causes an application's windows to behave in the same way as an application running on a Microsoft Windows application server, regardless of the user's desktop environment. Requires the SGD Enhancement Module.

secondary server

An array member that is not the primary server. The primary server replicates information to secondary servers.

secure connection

A connection between client device and SGD server that uses SSL to protect AIP traffic from eavesdropping, tampering, and forgery. Not related to HTTPS traffic.

This is the default connection mode when using SGD.

secure intra-array communication

Secure, encrypted, communication between SGD array members. Uses SSL.


An authentication mechanism developed by RSA to authenticate a user to a network resource.

self-signed certificate

AnSSL certificate signed by the person who created it.

serial port

A physical interface on a computer through which information is transferred one bit at a time.

server affinity

Where possible, SGD runs an application on the same application server as the one used to run the previous application for the user. See also application load balancing.

session grabbing

The situation where a user logs in to an SGD server, but they already have a user session on another SGD server. The user session is transferred to the new SGD server and the old session ends.


Secure Global Desktop software.

SGD Administrator

An SGD user with permission to configure SGD settings and create and edit SGD objects, either using the Administration Console or the tarantella commands.

SGD Client

An SGD component that can be installed on client devices. The SGD Client maintains communication with the SGD server and is required to run applications.

SGD Client Helper

A Java applet that downloads the SGD Client.

SGD server

A collection of SGD software components that together provide SGD functionality.

SGD Web Server

A pre-built web server installed and configured along with the SGD server Contains Apache, mod_ssl for HTTPS support, and Tomcat for Java Servlet and JSP support.

SGD web services

A collection of APIs that allow developers to build their own applications to work with SGD. The APIs can be used to authenticate users, launch applications, and interact with the SGD datastore.


Secure Hash Algorithm. In cryptography, an algorithm that computes a fixed-length representation of a message, called a message digest.


When an SGD Administrator displays and interacts with a user's application at the same time as the user.

single sign-on

Feature which allows access to multiple systems with a single login. After logging in to one system, the user is not prompted for authentication credentials when logging in to subsequent systems.


Secret Key Identification. An authentication protocol where a shared secret is used to authenticate a connection.

smart card

A plastic card, about the size of a credit card, with an embedded microchip that can be loaded with data.

smart card authentication

Authentication to a Windows application server by means of user data contained on a smart card.


Server Message Block.


Simple Object Access Protocol. A protocol for sending XML messages over computer networks using HTTP.


A protocol used by proxy servers to handle TCP connection requests from client devices inside a firewall.


Secure Shell. A secure network protocol for data exchange between two computers.


Secure Sockets Layer. A cryptographic protocol designed for secure Internet communications.

SSL certificate

A digital passport that establishes credentials on the web. In SGD, allows client devices to trust the identity of an SGD server.


Single sign-on. See single sign-on.

standard connection

A connection between a client device and an SGD server that is not secured.

subject alternative name

Alternative DNS name, other than the hostname, specified for an SGD server on an SSL certificate.


To pause an application session. A suspended application is not closed down, it can be resumed. See also resume.

system authentication

A component of the SGD server that authenticates users against an external authentication service, such as a Windows domain or an LDAP directory, and determines a user's SGD user identity and user profile.


tablet workspace

Workspace shown when a user logs in to SGD from a tablet device. This workspace uses an HTML5 web page to display and run applications.

tarantella command

An SGD administration tool available from the command line. Used to control the SGD server and make configuration changes.

Tarantella System Objects

The Organization object in the SGD datastore that contains objects essential for smooth running and maintenance of SGD.


Tool Command Language. A scripting language developed by John Ousterhout. The SGD login scripts include some Tcl functions.


Transmission Control Protocol.


Transmission Control Protocol/Internet Protocol.

terminal emulator

A program that runs on a graphical user interface and emulates a “dumb” video terminal. SGD includes terminal emulators for SCO Console, Wyse 60, and VT420 terminals.

Terminal Services

Microsoft Windows software that enables client devices to run applications and access data on a networked Windows server. From Windows Server 2008 R2, Terminal Services is renamed Remote Desktop Services.

third-party authentication

A component of the SGD server that trusts authentication information supplied by a third party and uses that information to automatically authenticate the user as an SGD user, allocating a user identity and a user profile.


A random number generated by a SecurID device. Combined with a PIN to form a passcode.

ttaserv, ttasys

Users and a group (ttaserv) that must be set up on a system before SGD can be installed. These users and group own some SGD files and processes after installation.



Ultrix Communications Extensions.


User Datagram Protocol.


Universal Naming Convention.


A standard for universal character encoding. Provides the basis for processing, storage, and interchange of text data in any language.


Uniform Resource Locator.

user identity

The SGD concept of who a user is. A user identity can belong to one of a number of different namespaces. User identities are allocated by authentication mechanisms. The user identity can be the same as the user profile in some cases.

user principal name

In Active Directory, the required format for user names. The user principal name is in email address format, for example,

User Profile object

An SGD object that represents a user in an organization. Can be used to give a user access to applications. User Profile objects can have a cn= (common name), a uid= (user identification), or a mail= (mail address) naming attribute.

user session

Begins when a user logs in to SGD, and ends when the user logs out. Information about a user session is stored in memory by the SGD server.

user session load balancing

The mechanism that determines which SGD server in the array a user logs in to to display their webtop.


Coordinated Universal Time.


virtual hosting

Hosting of multiple web servers on the same computer. Each web server has a different DNS name.


Virtual Memory System. Operating system originally developed for use on the VAX and Alpha family of computers from DEC.


Virtual server broker. Software used to obtain a list of application servers that can run an application. A VSB can be used to integrate SGD with Oracle Virtual Desktop Infrastructure.



Wide Area Network.


Web Application Archive.

websocket connection

A two-way data connection between an SGD server and a client device. The connection uses the WebSocket protocol, a TCP-based protocol which was developed as part of the HTML5 initiative. For more information, see RFC 6455.


Term used in previous releases for workspace.

Windows Application object

An SGD object that represents a Microsoft Windows graphical application. Windows Application objects have a cn= naming attribute.

Windows domain

A logical group of computers running the Windows operating system.

Windows domain controller

A server in a Windows domain that hosts the Active Directory. The domain controller handles authentication of users and administration tasks.

Windows protocol

In SGD, the protocol used to connect to an application server hosting a Microsoft Windows application.


Windows Internet Name Service.


Collective term for a user's applications, documents, and desktops. A web page where users can run applications using SGD, view documents, and manage print jobs. Can be accessed using a web browser or the SGD Client. Previously called a webtop.

workspace content

The collection of applications and documents that appear on a user's workspace.

workspace inheritance

The ability to define workspace content implicitly. Content is usually inherited from the parent object, but other objects can also be used.

workspace link

A hyperlink on an SGD workspace that the user clicks to starts an application.


X Application object

An SGD object that represents an X11 graphical application. X Application objects have a cn= naming attribute. See also X11 protocol.

X authorization

Access control mechanisms that control whether a client application can connect to an X server.

X Window System

A distributed window system for UNIX platform operating systems, based on the X11 protocol. Also called X11, or X Windows.

X.509 certificate

See SSL certificate.

X11 forwarding

The process of forwarding, or tunneling, the windows of a remotely started X application to a client desktop.

X11 protocol

Display protocol used for the X Window System.


X Keyboard extension. An X extension used by SGD to provide enhanced keyboard support.



A feature of Oracle Solaris that enables multiple virtual operating systems to be deployed on a single Oracle Solaris server.