1 / 18

June 5, 2013

XenClient Enterprise 5.0. Engine VNC Remote Access. June 5, 2013. Table of Contents. VNC Engine Remote Access. Overview Disabled by default, can only be enabled in the Synchronizer. Allows remote access to managed computers at the Engine level.

colin-leonard
Download Presentation

June 5, 2013

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. XenClient Enterprise 5.0 Engine VNC Remote Access June 5, 2013

  2. Table of Contents

  3. VNC Engine Remote Access • Overview • Disabled by default, can only be enabled in the Synchronizer. • Allows remote access to managed computers at the Engine level. • Very useful for providing remote assistance to end users. • Frequently used by Citrix technical support for remote troubleshooting. • Limitations • Requires a direct network connection to the Engine. • The Engine computer must have a monitor attached. • VNC may be considered insufficiently secure in some environments. • Alternatives • GoToMeeting/GoToAssist: • Great for remote access to VMs. • But can’t be used to access the Engine itself. • Intel AMT: • Platform-level VNC access with better security. • Part of the Intel vPro feature set.

  4. Engine Policy VNC Configuration • VNC access is enabled by updating the Engine policy in Synchronizer. • This will enable VNC access for all computers assigned to the policy. • VNC access cannot be enabled to unregistered computers. In the Policies section, select the Engine policy to be updated, then select the Support vertical tab. Enable VNC remote access and enter a strong VNC password. Then save the policy changes.

  5. Engine Policy Override (Owned Computers) VNC access can be enabled for a specific computer by overriding the Engine policy configuration. This method can also be used to set a different VNC password for a specific computer. For owned computers, the Engine policy is associated with the User, not the Computer. In the Users section, select the user registered to the computer. Then select the Policies tab. This flag icon indicates the Support section of the Engine policy has been overridden. Select the Support vertical tab. Enable VNC access and set a strong password, then save the policy override settings.

  6. Engine Policy Override (Unowned Computers) VNC access can be enabled for a specific computer by overriding the Engine policy configuration. This method can also be used to set a different VNC password for a specific computer. For unowned computers, the Engine policy is associated with the Computer, not with a User. Select the unowned computer in the Computers section, then select the Policies tab. This flag icon indicates the Support section of the Engine policy has been overridden. Select the Support vertical tab. Enable VNC access and set a strong password, then save the policy override settings.

  7. Engine Update Check Required • When Will VNC Access be Enabled? • Not until Engine checks for updates with Synchronizer to get the policy update. • If Engine can’t communicate with Synchronizer, then VNC access can’t be enabled. • Automatic Update Check • The computer will automatically check for updates with Synchronizer. • Update check interval defined in Engine policy (Activity Center section, see below). • Default update check interval is 10 minutes but should be higher for large deployments. • Recommended minimum value: • N/20 where N is total number of registered computers. • But no less than 10 minutes. • Excessive update checks can cause performance issues in the Synchronizer. • Manual Update Check • A manual update check can be initiated from the Engine (see next page). • If access to the Engine is not available, must wait for next automatic update check.

  8. Manual Engine Update Check • To check for updates manually on the Engine: • Hover to the right of the Control Panel icon. • A menu will appear. Choose “Check for Updates”. • Or from the Engine control panel: • Select the “Tools by Category” view. • Launch the Activity Center applet. • Click the “Check for Updates button. There is also a shortcut to the Activity Center on the Engine launcher screen.

  9. VNC Software • VNC Viewer Software • VNC Viewer (client) software is needed for remote access to XCE computers. • Synchronizer does not include a VNC Viewer, one must be installed separately. • Compatible VNC Products • The following VNC products have been known to work: • TightVNC (recommended): http://www.tightvnc.com • RealVNC: http://www.realvnc.com • UltraVNC: http://www.uvnc.com • Free open-source versions are available for download. • Purchasing the software is recommended if it is found to be useful. • VNC Server Software • VNC products may also include a VNC Server component. • Installing the VNC Server is not recommended and not required for remote access to XCE computers. • It may be necessary to use a “custom installation” option to install the VNC Viewer without VNC Server (example shown for the TightVNC installer).

  10. Connecting to Engine with VNC Viewer Start the VNC Viewer and connect to the Engine by IP address. A password challenge should appear. Enter the password set for VNC access in the Engine policy. The VNC viewer should connect to the Engine and display the Engine desktop.

  11. Engine IP Address The Engine IP address is displayed in the Engine networking control panel. The Engine IP address is also displayed in the Synchronizer console. • If the Engine connects to Synchronizer across a network router: • The IP address displayed in the Synchronizer console may be incorrect. • It may be the IP address of the router instead of the Engine. • The IP address displayed in the Engine will always be correct.

  12. VNC and Engine Login • For Unencrypted Computers: • VNC access to Engine is possible while Engine is waiting for user login. • Once connected with VNC, a remote user may login to Engine through the VNC session. • VNC access does not bypass the need to login to the Engine. • But if VNC Connection Authorization is enabled, VNC can’t connect until a user logs into the Engine and accepts the VNC connection. • For Encrypted Computers: • VNC access cannot be used to unlock disk encryption. • Encryption can only be unlocked with a physical keyboard connected to the computer. • VNC access is not enabled until after encryption is unlocked and the Engine is fully booted.

  13. VNC and Engine Reboot • If an Engine computer is rebooted (restarted) from a VNC connection: • Unencrypted Computers • The VNC viewer will disconnect when the computer shuts down. • Engine VNC access should automatically restart when the computer restarts. • The VNC viewer should be able to connect back to the computer in a few minutes. • But if VNC Connection Authorization is enabled, VNC can’t connect until a user logs into the Engine and accepts the VNC connection. • Encrypted Computers • The VNC viewer session will terminate when the computer shuts down. • When the computer restarts, it will stay at the encryption unlock screen until the encryption password is entered. • VNC access does not restart until after encryption unlock and the Engine is fully booted.

  14. VNC Timeout This refers to communication between Engine and Synchronizer. • The Support section of the Engine policy includes a VNC timeout setting. • Prevents VNC access from being enabled when it shouldn’t be. • When Engine VNC access is enabled: • Engine periodically checks with Synchronizer to see if VNC access should remain enabled. • If Engine is unable to perform this check, a timer is started for VNC timeout. • If Engine is still unable to check with Synchronizer after the VNC timeout expires, then Engine will disable VNC access. • If the Synchronizer is offline for an extended period of time: • Eventually all Engine computers will disable VNC access due to VNC timeout. • This effect can be mitigated by setting the VNC timeout very high. • Only recommended for computers on trusted networks.

  15. VNC Connection Notification • On the Engine, a pop-up message is displayed for a VNC connection. • This is simply a notification. • Click on the message to dismiss it. • The message should appear even if a VM is in the foreground. • The notification can be disabled in the Engine policy Launcher section. • By un-checking the Display Pop Up Messages checkbox. • But this will disable all pop-up messages on the Engine. Uncheck to disable VNC notification and all other Engine pop-up messages.

  16. VNC Connection Authorization • VNC connection authorization can be enabled in the Support section of the Engine policy. • By checking the Accept Support Connection check box. • This allows the end-user to accept or reject the VNC connection. • With VNC connection authorization enabled, a pop-up message is displayed when a remote user tries to connect to Engine. • By default, this message is not displayed and the end-user cannot reject the VNC connection. • This message is displayed and must be accepted before the VNC viewer will prompt the remote user for the VNC password. Check to enable user authorization of VNC connections to Engine.

  17. VNC Password Recovery • In the Engine policy, the VNC password is usually hidden. • To view the VNC password in plain text, check the Show Password Value checkbox. • The VNC password will be hidden again if the browser is restarted or refreshed. • Only an Administrator with the proper Synchronizer role is able to view the VNC password.

  18. Switching Between Engine and VM • With a VM in the foreground, Ctrl-Down is used to display the Engine launcher screen. • Sometimes the Ctrl key isn’t passed through the VNC Viewer to the Engine. If this happens: • Click the Ctrl button on the VNC viewer: • Then press the Down button on the keyboard. • This is for TightVNC. Other VNC viewers may have different controls. • This should switch to the Engine launcher screen. • A similar process can be used for other key combinations with Ctrl and Alt. • On some VNC viewers (including TightVNC), the Ctrl and Alt buttons are sticky so make sure to unset them when done.

More Related