This section describes how to configure Windows application objects.
This section includes the following topics:
Section 4.1.2, “Creating Windows Application Objects on the Command Line”
Section 4.1.3, “Configuring Microsoft Windows Remote Desktop Services for Use With SGD”
Section 4.1.4, “Licensing Microsoft Windows Remote Desktop Services”
Section 4.1.5, “Microsoft Windows Remote Desktop Connection”
Section 4.1.7, “Key Handling for Windows Remote Desktop Services”
Section 4.1.8, “Returning Client Device Information for Windows Remote Desktop Services Sessions”
You use a Windows application object if you want to give a Microsoft Windows graphical application to users.
In the Administration Console, the configuration settings for Windows application objects are divided into the following tabs:
General tab – These settings control the name and the icon used when creating links for users
Launch tab – These settings control how the application is started and whether application sessions can be suspended and resumed
Presentation tab – These settings control how the application is displayed to users
Performance tab – These settings are used to optimize the performance of the application
Client Device tab – These settings control how the user's client device interacts with the application
The following table lists the most commonly used settings for configuring Windows application objects, and how to use them.
Attribute | Description |
|---|---|
Name | The name that users see. |
Icon | The icon that users see. |
Application Command | The full path to the application that runs when users click the link. The application must be installed in the same location on all application servers. Leave this field blank if you want to run a Windows desktop session. |
Arguments for Command | Any command-line arguments to use when starting the application. |
SGD Remote Desktop Client | By default, the SGD Remote Desktop Client is used to run the application on the Microsoft Windows application server. SGD uses the Microsoft RDP protocol to connect to the application server. See Section 4.1.3, “Configuring Microsoft Windows Remote Desktop Services for Use With SGD”. |
Domain Name | The Windows domain to use for the application server authentication process. This can be left blank. The domain can also be configured on either the application server or the user profile. See also Section 4.7.3.4, “Windows Domains and the Password Cache”. |
Number of Sessions | The number of instances of an application a user can run. The default is three. |
Application Resumability | For how long the application is resumable. The following options are available:
|
Window Type | How the application is displayed to the user. Use Kiosk for full-screen desktop sessions. Selecting the Scale to Fit Window check box for the Window Size enables SGD to scale the application window to fit the client device display. For Independent Window, you must specify a Height and Width for the Window Size or select the Client's Maximum Size check box. Use Seamless Window mode to the application in the same way it displays on the Windows application server, regardless of the user's desktop environment. See Section 4.1.6, “Seamless Windows”. |
Color Depth | The application's color depth. See Section 4.1.3.13, “Color Depth” for more details. |
Application Load Balancing | How SGD chooses the best application server to run the application. See Section 7.2.3, “Application Load Balancing” for more details. |
Hosting Application Servers tab | Use the Editable Assignments table to select the application servers, or group of application servers, that can run the application. The application must be installed in the same location on all application servers |
Assigned User Profiles tab | Use the Editable Assignments table to select the users that can see the application. Selecting Directory or Directory (light) objects enables you to give the application to many users at once. You can also use a Lightweight Directory Access Protocol (LDAP) directory to assign applications. See Section 3.2.2, “LDAP Assignments”. |
In addition to this configuration, you can also configure the following:
Printing – See Section 5.1, “Printing”.
Client drives – See Section 5.2, “Client Drive Mapping”.
Audio – See Section 5.3, “Audio”.
Smart cards – See Section 5.5, “Smart Cards”.
Copy and paste – See Section 5.4, “Copy and Paste”.
Serial ports – See Section 5.6, “Serial Ports”.
On the command line, you create an Windows application object with the tarantella object new_windowsapp command. You can also create multiple Windows application objects at the same time with the tarantella object script command. See Section 3.1.5, “Populating the SGD Organizational Hierarchy Using a Batch Script”.
Windows application objects can only be created in the
o=applications organizational hierarchy.
Configuring a Windows application object enables you to use the features of Microsoft Windows Remote Desktop Services.
Before Windows Server 2008 R2, Remote Desktop Services was called Terminal Services.
The Remote Desktop Services features supported by SGD and the application server platforms on which they are supported are listed in the Oracle Secure Global Desktop Platform Support and Release Notes.
There are many possible configuration settings for Microsoft Windows Remote Desktop Services. For detailed information on configuring Remote Desktop Services, see your system documentation. To use Remote Desktop Services with SGD, the settings you might have to configure include the following:
Changes to your Remote Desktop Services configuration only take effect for new Windows application sessions.
You must configure Windows Remote Desktop Services so that it does not prompt for a password when a user logs in.
By default, Microsoft Windows Server does not prompt for passwords.
With Windows Remote Desktop Services, user sessions can continue to run following a connection loss.
If you are not using Session Directory, it is best to disable the session resumability feature on the Remote Desktop Session Host, and let SGD handle session resumability. This prevents the following potential problems:
Unnecessary use of resources on the application server
Users who share accounts on the application server might resume each other's Windows sessions.
After closing down an application using the window decoration, the Remote Desktop Services session might continue to run on the application server.
To disable the Remote Desktop Services session resumability feature, you must select End Session for the When Session Limit Is Reached Or Connection Is Broken option in Remote Desktop Session Host Configuration.
If you are using Session Directory to handle session resumability, you must select Suspend Session for the When Session Limit Is Reached Or Connection Is Broken option in Remote Desktop Session Host Configuration. To use Session Directory, you must also configure the Window Close Action attribute for Windows application objects to End Application Session.
To support printing to client printers from a Windows Remote Desktop Services session, Windows printer mapping must be enabled. Windows printer mapping is enabled by default.
To support mapping of client drives in a Windows Remote Desktop Services session, drive redirection must be enabled. Drive redirection is enabled by default.
You can only use the Low, Client-compatible, or High encryption levels with SGD. SGD does not support the Federal Information Processing Standards (FIPS) encryption level.
By default, a Microsoft Windows Server only allows users to start one Remote Desktop Services session. If a user starts another desktop session, or another instance of an application with the same arguments, the second Remote Desktop Services session grabs the first session and disconnects it. This means that it is not possible to start two desktop sessions, or two instances of the same application, on the same Windows Server.
You can configure Microsoft Windows Server, to enable support for multiple Remote Desktop Services sessions.
For Microsoft Windows Server application servers, users can only use Remote Desktop Services if they are members of the Remote Desktop Users group.
Client computers can redirect their time zone settings to the Remote Desktop Session Host, so that users see the correct time for their time zone in their desktop or application sessions. Remote Desktop Services uses the server base time on the Remote Desktop Session Host and the client time zone information to calculate the time in the session. This feature is useful if you have client devices in different time zones. By default, this feature is disabled.
In the Administration Console, the Time Zone Map File attribute on the Global Settings, Client Device tab specifies a file that contains mappings between UNIX platform client device and Windows application server time zone names.
To play audio from a Windows Remote Desktop Services session, audio redirection must be enabled on the application server. By default, audio redirection is disabled.
To record audio in a Windows Remote Desktop Services session, audio recording redirection must be enabled on the application server. By default, audio recording redirection is disabled.
To use a smart card reader from a Windows Remote Desktop Services session, smart card device redirection must be enabled on the application server. By default, smart card device redirection is enabled.
To access the serial ports on the client device from a Windows Remote Desktop Services session, COM port mapping must be enabled on the application server. By default, COM port mapping is disabled.
SGD supports 8-bit, 16-bit, 24-bit, and 32-bit color depths in a Windows Remote Desktop Services session.
For a 32-bit color depth, the client device must be capable of displaying 32-bit color.
15-bit color depths are not supported. If this color depth is specified on the Remote Desktop Session Host, SGD automatically adjusts the color depth to 8-bit.
With Microsoft Windows Server application servers, you can use Transport Layer Security (TLS) for server authentication, and to encrypt Remote Desktop Session Host communications.
If the Remote Desktop Session Host supports Network Level Authentication (NLA) using CredSSP, you can use NLA for server authentication.
See Section 4.7.7, “Using Network Level Authentication for Windows Application Authentication” for more details about using NLA with Windows applications.
For Microsoft Windows Server, Remote Desktop Services settings can be configured using Group Policy, as follows:
An individual Windows Remote Desktop Session Host can be configured using a Local Group Policy Object (LGPO).
Multiple Windows Remote Desktop Session Host instances can be configured using a Group Policy Object (GPO), linked to a domain or organizational unit (OU).
To improve performance, you might want to configure some or all of the following policies:
Keep-Alive Connections. This policy specifies a keep alive time interval for the Remote Desktop Services session. If you find that the connection between the SGD server and the Windows Remote Desktop Session Host is being dropped unexpectedly, you might need to configure the keep alive mechanism for the Windows Remote Desktop Session Host. See Microsoft Knowledge Base article 216783 for details of how to set this policy.
Limit Maximum Color Depth. This policy controls the display color depth on client devices. See Microsoft Knowledge Base article 278502 for details of how to set this policy.
SGD does not include licenses for Microsoft Windows Remote Desktop Services. If you access Remote Desktop Services functionality provided by Microsoft operating system products, you need to purchase additional licenses to use such products. Consult the license agreements for the Microsoft operating system products you are using to determine which licenses you must acquire.
Remote Desktop Services licensing is done using a client access license (CAL). A CAL is a license that allows a client to access the Windows Remote Desktop Session Host. Depending on the licensing mode, a client can be either a user, or a device, or a combination of both.
CALs for client devices that connect to the Remote Desktop Session Host are allocated in accordance with Microsoft policy. The location where CALs are stored on the client device varies according to the client platform.
Table 4.1, “Default Locations for Storing CALs on Client Devices” shows the default storage location for CALs on each platform. On Linux, Oracle Solaris, and Mac OS X platforms, the default locations are created automatically when you install the SGD Client in a system-wide location, as described in Section 6.1.5.2, “System-Wide Installation”.
Table 4.1 Default Locations for Storing CALs on Client Devices
Client Platform | Default Location |
|---|---|
Windows | Windows registry |
Linux |
|
Mac OS X |
|
Sun Ray | Sun Ray Datastore |
On Linux, Sun Ray and Mac OS X platforms, if the default
location is not available CALs are stored to the user's
$HOME/.tarantella directory.
For Linux, Sun Ray and Mac OS X platforms you can override the
default location by using the
<calstorepath> entry in the
<localsettings> section of the client
profile, profile.xml on the client device.
If the <localsettings> section is not
present in the client profile, create a new section.
For example, use the following profile entry to set the location
of the license storage location to
/opt/cals:
<localsettings>
...
<calstorepath>/opt/cals/</calstorepath>
</localsettings>
If the client device is shared by multiple users, ensure that the license storage location is writeable by all users. The default license locations meet this requirement.
When using CALs with the tablet workspace, the following applies:
CALs are stored on the browser, not on the client device.
For an SGD array, multiple CALs may be used. A separate CAL is allocated for each array member that hosts an application session.
See Section 4.9.23, “Troubleshooting Problems With CALs” for advice on troubleshooting issues with CALs when using SGD.
Some editions of Microsoft Windows include a Remote Desktop Connection feature that enables you to access a computer using Microsoft RDP. You can use SGD and Remote Desktop Connection, for example, to give users access to their office PC when they are out of the office.
The supported platforms and features for Remote Desktop Connection are listed in the Oracle Secure Global Desktop Platform Support and Release Notes.
Before introducing SGD, ensure that the Remote Desktop Connection link to the Microsoft Windows computer is working.
You configure SGD for use with Remote Desktop Connection as follows:
Create an application server object for each Microsoft Windows computer.
Create a Windows application object for the Windows desktop application.
To ensure users access their own computer, you have to create separate Windows desktop application objects for each Microsoft Windows computer.
See Section 4.5.7, “Using My Desktop” for details of how to run a full-screen desktop session, without displaying the SGD workspace.
With seamless windows, the Microsoft Windows application server manages the display of the application. This means an application's windows behave in the same way as an application displayed on the application server, regardless of the user's desktop environment. The window can be resized, stacked, maximized, and minimized. The Windows Start Menu and Taskbar are not displayed when using seamless windows.
Seamless windows are not suitable for displaying Windows desktop sessions. Use a kiosk or independent window instead.
The following are the conditions for using seamless windows:
The SGD Enhancement Module for Windows must be installed on the application server.
The Windows application object must be configured with a Window Type of Seamless Window.
If any of the above conditions are not met, SGD displays the Windows application in an independent window instead.
The following are some notes and tips on displaying applications in seamless windows:
If an application is displayed in a seamless window, you can toggle between a seamless window and an independent window by pressing the Scroll Lock key.
Applications that have non-rectangular windows, for example, a media player with a customized skin, display in a rectangular window.
Some display modes may not be available for applications. For example, a media player is unable to minimize to the Taskbar. In Windows Media Player, this is called mini Player mode.
On Windows client devices, seamless windows are not affected by the Cascade, Tile Windows Horizontally, or Tile Windows Vertically window commands.
If a screen saver or the Windows Security dialog displays, the window automatically switches to an independent window. Unlocking the application automatically restores the window to a seamless window.
If a seamless window application is resumed on a display that is larger or smaller in size than the original session, the application is displayed in an independent window.
Each application displaying in a seamless window has its own RDP connection.
You can configure how SGD handles keyboard presses on the client device in a Windows Remote Desktop Services session, as follows:
SGD supports the following keyboard shortcuts for Windows Remote Desktop Services sessions.
Keyboard Shortcut | Description |
|---|---|
Ctrl+Alt+End | Displays the Windows Security dialog. |
Alt+Page Up | Switches between windows, from left to right. |
Alt+Page Down | Switches between windows, from right to left. |
Alt+Insert | Cycles through windows, in the order they were opened. |
Alt+End | Displays the Windows Start menu. |
Alt+Delete | Displays the pop-up menu for the current window. |
Ctrl+Alt+Minus | Use the Minus (-) key on the numeric keypad. Places a snapshot of the active client window on the Windows Remote Desktop Session Host clipboard. Provides the same functionality as pressing Alt+PrintScrn on a local computer. |
Ctrl+Alt+Plus | Use the Plus (+) key on the numeric keypad. Places a snapshot of the entire client window area on the Windows Remote Desktop Session Host clipboard. Provides the same functionality as pressing PrintScrn on a local computer. |
Alt+Ctrl+Shift+Space | Minimizes the active window. Only applies for kiosk mode. |
In SGD Windows Remote Desktop Services sessions, the Windows key and keyboard shortcuts for managing windows can be sent either to the remote session or acted on locally. By default, they are acted on locally.
For Windows applications objects that are configured to
display in kiosk mode, the Window Management Keys
(--remotewindowkeys) attribute controls
keyboard shortcut behavior. To send the Windows key and window
management keys to the remote session, do either of the
following:
In the Administration Console, go to the Client Device tab for the Windows application object and select the Window Management Keys check box.
Use the following command:
$ tarantella object edit --name
obj--remotewindowkeys 1
If the Windows key and window management keys are sent to the
remote session, use the key sequence Alt+Ctrl+Shift+Space to
exit kiosk mode. This minimizes the kiosk session on the local
desktop. Alternatively, to exit kiosk mode you can use the
Kiosk Mode Escape (--allowkioskescape)
attribute to enable a pull-down header for the application
window. The pull-down header includes icons for minimizing and
closing the kiosk session.
For Windows applications objects that are not configured to
display in kiosk mode, you can force the Windows key to be
sent to the remote session by using the
-windowskey option for the SGD
Remote Desktop Client. To send the Windows key to the remote
session, do either of the following:
In the Administration Console, go to the Launch tab for the Windows application object and enter
-windowskey onin the Arguments field.Use the following command:
$ tarantella object edit --name
obj--protoargs "-windowskey on"
By default, when you run a Windows application through
SGD using the Microsoft RDP protocol, the hostname
of the client device is returned in the
%CLIENTNAME% environment variable for the Windows
Remote Desktop Services session. When you use a Sun Ray Client device, the DTU ID
is returned in the %CLIENTNAME% environment
variable. The DTU ID is the hardware address of the Sun Ray
Client.
The DTU ID can be used to specify the name of the client device
in the wcpwts.exp login script.
SGD uses this login script for all Windows
applications that connect using the Microsoft RDP protocol.
The SGD Remote Desktop Client, also known as ttatsc, is a client program that handles the connection between the SGD server and the Windows Remote Desktop Session Host.
The syntax for running ttatsc from the command line is as follows:
ttatsc [-options..]
server.example.com
where server.example.com is the name
of a Windows Remote Desktop Session Host.
You can use the ttatsc command to configure Windows Remote Desktop Services sessions in the following ways:
Configure attributes for the Windows application object. Some of the ttatsc command options are available as attributes for a Windows application object. These are indicated in the following table.
Configure the Arguments (
--protoargs) attribute of the Windows application object. Using this attribute, you can specify ttatsc command options used for a Windows application object.Edit the
wcpwts.explogin script, and specify ttatsc command options. Any changes you make to this file are used for all Windows applications that connect using the Microsoft RDP protocol.
Table 4.2, “Supported Options for the ttatsc Command” shows the available options for the ttatsc command.
Table 4.2 Supported Options for the ttatsc Command
Option | Description |
|---|---|
| The application to run in the Remote Desktop Services session. |
| Sets the quality of the audio redirection. |
| Enables or disables data compression for the connection. |
| The type of connection used between the client device and the Remote Desktop Session Host. |
| Instead of starting a normal Remote Desktop Services session, connect to a console session.
This option is available as the Console Mode
( |
|
Configures encryption for the connection. The default
setting, |
| Whether to let the Remote Desktop Session Host set the default color depth of the X session. |
| Whether to display a full screen desktop session. |
| Working directory for the Remote Desktop Services session. This can be overridden by the application.
This option is available as the Working Directory
( |
| The X display to connect to. |
| Domain on the Remote Desktop Session Host to authenticate against. |
| Input locale. Specify an RFC1766 language tag. |
| The X extension to use for multiple monitor displays.
If the Window Size: RandR Extension
( |
| Name of the client device. |
| NetBIOS name for the client device. This is used for the redirected printer names on the Remote Desktop Session Host. |
| Enables enhanced security when connecting to the Remote Desktop Session Host.
This option is available as the Enhanced Network
Security
( |
| Disables audio redirection. |
| Disables audio recording redirection. |
| Do not run ttatsc as a background process. |
| Do not cache printer preferences.
This option is available as the Printer Preference
Caching
( |
| Read command options from a file. See Section 4.1.9.1, “Using a Configuration File” for details. |
| Password for the Remote Desktop Services user. |
| Disable display options, to improve performance. The available settings are:
To disable multiple display options, use multiple
|
| Turns on font smoothing for text on the desktop.
This option is available as the Font Smoothing
( |
| RDP port to connect to on the Remote Desktop Session Host. The default setting is 3389. |
| This option is deprecated. |
| Leaves audio at the Remote Desktop Session Host.
This option is available as the Remote Audio
( |
| Defines the session behavior for dynamic display changes. For example, when the user resizes the display during a session, or resumes a session on a different size display.
The default setting is
|
|
Security layer used for the connection. The
The default setting is |
| Do not use a private color map. |
| Display width and display height for the Remote Desktop Services session, in pixels. |
| A unique identifier for the RDP source. For example, the ID of a virtual machine. |
| This option is deprecated. |
| Read command options from standard input. Used by the login scripts to pass command options to ttatsc. |
| This option is deprecated. |
| Enable local window hierarchy for applications that use seamless windows. Needed for some Borland applications. |
| Timeout for connecting to the Remote Desktop Session Host, in seconds. |
| Timeout for establishing an RDP connection, in seconds. |
| This option is deprecated. |
| User name for the Remote Desktop Services user. |
|
Whether to enable or disable the Windows key for the
Remote Desktop Services session. The default setting is
|
A configuration file is a text file containing the
ttatsc command-line options to be used for
the connection. Each option must be on a separate line without
the leading dash (-). The argument and its
value are separated by whitespace. Use either single or double
quotes to enclose any literal whitespace.
The escape character is \.The following
escape sequences are supported:
\nis a new line (0xA)\ris a carriage return (0xD)\tis a tab (0x9)\\is a literal\\"is a literal double quote not used for delimiting quoted arguments\'is a literal single quote not used for delimiting quoted arguments
The following is an example configuration file:
u "Indigo Jones" p "Wh1teh4ll" a "C:\\program files\\notepad.exe" naples.example.com