Sun Secure Global Desktop 4.41 Administration Guide
820-4907-10
Overview of Networks and Security
Connections Between Client Devices and SGD Servers
Connections Between SGD Servers and Application Servers
UNIX or Linux System Application Servers
Microsoft Windows Application Servers
Connections Between SGD servers in an Array
Configuring External DNS Names
How to Configure the External
DNS Names of an SGD Server
Changing the Peer DNS Name of an SGD Server
How to Change the Peer DNS Name
of an SGD Server
Configuring Application Servers after Changing a Peer DNS Name
Configuring Client Proxy Settings
Using Proxy Server Automatic Configuration Scripts
Configuring Server-Side Proxy Servers
Firewalls Between Client Devices and SGD Servers
Firewalls Between SGD Servers and Application Servers
Securing Connections Between Client Devices and SGD Servers
Setting up Secure Client Connections
Setting up Secure Client Connections (Automatic Configuration)
Setting up Secure Client Connections (Manual Configuration)
Supported Certificate Authorities
Using a Certificate Obtained for Another Product
Obtaining and Installing a Server Certificate
How to Generate a Certificate
Signing Request
How to Install a Server Certificate
How to Install a Certificate
Obtained for Another Product
How to Install the CA Certificate
for an Unsupported CA
How to Install a CA Certificate
Chain
How to Replace a Server Certificate
Enabling SGD Security Services With Automatic Configuration
How to Enable SGD Security Services
With Automatic Configuration
Using HTTPS Connections to the SGD Web Server
How to Configure Firewall Traversal
Securing SOAP Connections to an SGD Server
How to Secure the SOAP Connections
to an SGD Server
Securing the SOAP Connections From Remote Hosts
Enabling SGD Security Services
How to Enable SGD Security Services for
an SGD Server
How to Enable Connection Definition
Processing
How to Configure Connection
Definitions
Client Connections and Security Warnings
Browser and Java Plug-in Tool Security Warnings
SGD Server Certificate Security Warnings
Untrusted Initial Connection Warnings
How to Tune SSL Daemon Processes
How to Change SSL Daemon Log
Filters
How to Change SSL Daemon Maximum Restart Attempts
Selecting a Cipher Suite for Secure Client Connections
How to Change the Cipher Suite
for Secure Client Connections
Using External SSL Accelerators
How to Enable External SSL Accelerator
Support
Securing Connections Between SGD Servers
Using Secure Intra-Array Communication
Managing CA and Server Peer Certificates
How to Enable Secure Intra-Array Communication
Selecting a Cipher Suite for Secure Intra‐Array Communication
How to Change the Cipher Suite
for Secure Intra‐Array Communication
Securing Connections to Application Servers with SSH
How to Set Global SSH Client
Options
How to Set Application SSH Client
Options
Using SSH and the X Security Extension
How to Enable the X Security
Extension
Known Limitation With Client Keys
Secure Global Desktop Authentication
System Authentication Mechanisms
Configuring Application Authentication
Using RSA SecurID for Application Authentication
The Application Server Password Cache
Managing the Application Server Password Cache
Security and the Password Cache
Windows Domains and the Password Cache
Supporting Users in Different Locales
Adding Support for System Prompts in Different Languages
Active Directory Authentication
How Active Directory Authentication Works
User Identity and User Profile
Setting Up Active Directory Authentication
Configuring SGD for Kerberos Authentication
How to Enable Active Directory
Authentication
How to Configure SSL Connections
to Active Directory
How Anonymous User Authentication Works
User Identity and User Profile
Application Sessions and Password Cache Entries
How to Enable Anonymous User Authentication
User Identity and User Profile
Supported LDAP Directory Servers
How to Enable LDAP Authentication
LDAP Authentication and Password Expiry
Restricting the LDAP Users That Can Log In to SGD
How to Configure an LDAP Login
Filter
How SecurID Authentication Works
User Identity and User Profile
Setting Up SecurID Authentication
Configuring SGD servers as Agent Hosts
How to Configure an SGD Server
as an Agent Host
How to Enable SecurID Authentication
Third-Party and Web Server Authentication
How Third-Party Authentication Works
Use Default Third-Party Identity
How to Enable Third-Party Authentication
How Web Server Authentication Works
Security Considerations of Using Web Server Authentication
Enabling Web Server Authentication
How to Enable Web Server Authentication
for the SGD Web Server
Using Authentication Plug-ins With Web Server Authentication
How to Enable Support for Other
Environment Variables for Web Server Authentication
Using Client Certificates With Web Server Authentication
How to Enable Support for the SSL_CLIENT_S_DN_CN Variable
SGD Administrators and Third-Party Authentication
Trusted Users and Third-Party Authentication
Information for Application Developers
How to Create a New Trusted
User
How UNIX System Authentication Works
Search Unix User ID in Local Repository
Search Unix Group ID in Local Repository
UNIX System Authentication and PAM
How to Enable UNIX System Authentication
How Windows Domain Authentication Works
User Identity and User Profile
How to Enable Windows Domain Authentication
Passwords, Domains, and Domain Controllers
How to Specify a Domain Controller
on a Different Subnet
Troubleshooting Secure Global Desktop Authentication
Setting Log Filters for Authentication Problems
Tuning LDAP Performance for Authentication
LDAP User Name Search Attributes
Troubleshooting LDAP Authentication
Troubleshooting Web Server Authentication
Web Server Authentication Fails
Users See the Standard SGD Login Page
Denying Users Access to SGD After Failed Login Attempts
How to Enable the Login Failure
Handler
How to Change the Number of
Login Attempts
Users Cannot Log In to Any SGD Server
Using Shared Accounts for Guest Users
How to Share a User Profile
Between Users
Solaris OS Users Cannot Log in When Security is Enabled
An Ambiguous User Name Dialog Is Displayed When a User Tries to Log in
Troubleshooting Application Authentication
Users Can Start Applications With Different User Names and Passwords
Using Windows Terminal Services, Users Are Prompted for User Names and Passwords Too Often
Terminal Server Prompts the User
Publishing Applications to Users
The System Objects Organization
Directory Object: Organization
Directory (Light) Object: Domain Component
Directory Object: Organizational Unit
Directory (Light) Object: Active Directory Container
Designing the Organizational Hierarchy
Naming Objects in the Organizational Hierarchy
Populating the SGD Organizational Hierarchy Using a Batch Script
How To Add an SGD Administrator
How To Remove an SGD Administrator
How to Assign Application Servers to
Applications
How to Assign Applications to
Users
How to Assign Applications to
LDAP Users
How to Assign Applications to
Members of LDAP Groups
How to Assign Applications Using LDAP
Searches
How to Increase the LDAP Group
Search Depth
How to Configure LDAP Group Reverse
Attributes
How to Configure LDAP Group Membership
Attributes
How to Configure LDAP Group Short Name
Attributes
Troubleshooting LDAP Assignments
Supported Installation Platforms for the SGD Enhancement Module
Configuring Windows Application Objects
Creating Windows Application Objects on the Command Line
Configuring Microsoft Windows Terminal Services for Use With SGD
Microsoft Windows Remote Desktop
Key Handling for Windows Terminal Services
The SGD Terminal Services Client
Running Windows Applications on Client Devices
Configuring X Application Objects
Creating X Application Objects on the Command Line
How to Configure SGD to Use
Your Own X Fonts
Configuring Character Application Objects
Creating Character Application Objects on the Command Line
Terminal Emulator Keyboard Maps
Terminal Emulator Attribute Maps
How to Create Your Own Attribute
Map
Tips on Configuring Applications
Starting an Application or Desktop Session Without Displaying a Webtop
Using the SGD Client in Integrated Mode
Using Multihead Or Dual Head Monitors
Configuring the Correct Desktop Size
Improving the Performance of Windows Desktop Sessions
Improving the Performance of JDS Desktop Sessions or Applications
Configuring the X Application Object for JDS
Disabling Default JDS Settings
Documents and Web Applications
How to Create the Teacher’s
Application Object
How to Create the Classroom
Application
Configuring Common Desktop Environment Applications
Configuring a CDE Desktop Session
Configuring the Login Script Used for the Application
Configuring the Transport Variable in the Login Script
Using Shadowing to Troubleshoot a User’s Problem
Checking the Configuration of the Application Object
Checking the Launch Details and Error Logs
Troubleshooting ErrApplicationServerTimeout Errors
Troubleshooting ErrApplicationServerLoginFailed Errors
An Application Exits Immediately After Starting
Applications Disappear After About Two Minutes
An Application Session Does Not End When the User Exits an Application
Applications Fail To Start When X Authorization Is Enabled
A Kiosk Application Is Not Appearing Full-Screen
An Application’s Animation Appears ‘Jumpy’
Font Problems with X Applications
Display Problems With High Color X Applications
The X Application Fails With a Color Planes Error
The X Application Uses Too Much Bandwidth
8-bit Applications Exit With a PseudoColor Visual Error
Clipped Windows With Client Window Management Applications
In Some X Applications, the Alt and AltGraph Keys Do Not Work
Configuring Microsoft Windows Application Servers for Printing
Configuring Printing for Microsoft RDP
Configuring Other Microsoft Windows Application Servers for Printing
Configuring UNIX and Linux Platform Application Servers for Printing
How to Install an SGD Printer
Queue on a UNIX or Linux Platform Application Server
The SGD Printer Queue Installation Script
Printing With the SGD lp and lpr Scripts
Configuring an SGD Server for Printing
Checking the Ghostscript Installation on the SGD Host
Configuring the SGD Host to Accept Remote Print Requests
Configuring SGD Print Job Conversion
Configuring Printing to Microsoft Windows Client Devices
Configuring Printing to UNIX, Linux, and Mac OS X Platform Client Devices
Setting a Time Limit for Print Jobs
Users Cannot Print From Applications Displayed Through SGD
Troubleshooting Other Printing Problems
Troubleshooting Printer Preferences and Settings
Print Jobs Can Be Queued When SGD Printing is Disabled
Fonts Do Not Print Correctly With PDF Printing
Changing Printer Names in Windows Application Sessions
Changing the Names of the PDF Printers
Users See a Printer Called ‘_Default’ in a Windows Application Session?
Setting Up Client Drive Mapping
Configuring UNIX and Linux Platform Application Servers for CDM
Configuring an NFS Share for CDM
Configuring a Shared Directory on the Application Server
Configuring How Client Drives Are Displayed on UNIX Platforms
Starting CDM Processes on the Application Server
Configuring Microsoft Windows Application Servers for CDM
Remapping or Hiding Microsoft Windows Application Server Drives
How to Enable SGD Client Drive Mapping
Services
How to Run CDM and Another SMB Service
on the Same Host
Configuring the Drives Available to UNIX, Linux, and Mac OS X Platform Client Devices
Configuring the Drives Available to Microsoft Windows Client Devices
An Example of Configuring Drive Availability for Users
Troubleshooting Client Drive Mapping
No Client Drives Are Mapped Within the User’s Session or There Are Fewer Drives Than Expected
Invalid Password Errors on Microsoft Windows Application Servers
Windows Client Drives Are Mapped Using Unexpected Drive Letters
More Client Drives Are Mapped Than Expected
The Recycle Bin Does Not Work As Expected
Mapped Drives Have Unusual Names
CDM Limitations for Shared Users
Enabling CDM Logging for the SGD Array
CDM Diagnostics for Microsoft Windows Application Servers
CDM Diagnostics for Unix or Linux Platform Application Servers
Configuring Microsoft Windows Application Servers for Audio
Configuring UNIX and Linux Platform Application Servers for Audio
Configuring X Applications for Audio
How to Enable the SGD Windows Audio
Service
How to Enable the SGD UNIX Audio Service
Configuring Client Devices for Audio
Troubleshooting Audio in Applications
Enabling UNIX Audio Debug Logging
Controlling Copy and Paste in Applications
Configuring Global Copy and Paste Settings for the SGD Array
Configuring Copy and Paste for Specific Users
Configuring Copy and Paste for Specific Applications
An Example of Using Clipboard Security Levels
Tips on Configuring Copy and Paste
Copy and Paste Troubleshooting
Using Smart Cards With Windows Applications
Setting Up Access to Smart Cards
Configuring the Microsoft Windows Application Server for Smart Cards
Application Server Authentication Dialog Settings
How to Enable Smart Cards in
SGD
Configuring Smart Card Readers on Client Devices
Microsoft Windows Client Devices
Linux Platform and Solaris OS Client Devices
How to Log In to a Microsoft Windows Application
Server With a Smart Card
Setting Up Access to Serial Ports
Configuring the Microsoft Windows Application Server
Enabling Serial Port Access in SGD
How to Enable Access to Serial Ports
Automatic Installation of the SGD Client
How to Enable Automatic Installation
for Roaming User Profiles
Manual Installation of the SGD Client
Running the SGD Client From the Command Line
Web Services Developer Options
Accessing SGD Without Using Java Technology
How to Access SGD Without Using
Java Technology
Client Profiles and the SGD Client
How to Configure Client Profile
Editing for Users
Microsoft Windows Users With Roaming User Profiles
Setting Up the SGD Client for Integrated Mode
Authentication Token Authentication
How Authentication Token Authentication Works
Authentication Tokens and Security
How to Enable Authentication
Token Authentication
Administering Authentication Tokens
Troubleshooting Automatic Logins
Configuring the Client Profile for Integrated Mode
Configuring Applications for Integrated Mode
Setting the Language for the Webtop
Overriding the Default Language for the Webtop
Using Different Styles of Webtop
How to Relocate the Webtop to
Your Own JSP Container
SGD Servers, Arrays, and Load Balancing
Replicating Data Across the Array
Adding and Removing SGD Servers From An Array
How to Add a Server to an Array
How to Remove a Server From an Array
How to Change the Primary Server in
an Array
Configuring Arrays and Servers
Using The Load-Balancing JSP to Distribute User Sessions
How to Configure the Load‐Balancing
JSP to Distribute User Sessions
Using an External Mechanism to Distribute User Sessions
How to Configure the Load‐Balancing
JSP for an External Load Balancing Mechanism
How to Configure the Load‐Balancing
JSP for Use With My Desktop
Additional Load‐Balancing JSP Configuration
Application Session Load Balancing
Defining the Application Servers to Run the Application
Selecting the Load Balancing Method
How Application Load Balancing Works
Application Server Availability
The Relative Power of the Application Servers
The Application Server With the Least Load
How Advanced Load Management Works
Tuning Application Load Balancing
Application Server’s Relative Power
Load Balancing Listening Ports
SGD Requests Updates From an Application Server
Frequency of the Load Calculation
Frequency of Updates to the Primary SGD Server
Reliability of CPU and Memory Data
Frequency of Updates to Array Members
Editing Application Load Balancing Properties
The Global Load Balancing Properties File
The Application Server Load Balancing Properties File
How to Create an Application
Server Load Balancing Properties File
The Load Balancing Service Properties File
Introducing the SGD Web Server
Using Another Web Server With SGD
Running the Administration Console
Supported Browsers for the Administration Console
Starting the Administration Console
Deploying the Administration Console on Other Web Application Containers
Avoiding SGD Datastore Update Problems
Performing Array Operations Using the Administration Console
Displaying Online Help Over HTTPS Connections
Administration Console Configuration Settings
Searching and Displaying LDAP Data
Securing Access to the Administration Console
Anonymous Users and Shared Users
Using Log Filters to Troubleshoot Problems With an SGD Server
Selecting a Component and Subcomponent
Using Log Filters for Auditing
Examples of Using Log Filters for Auditing
Licensing Microsoft Windows Terminal Services
Managing CALs From the Command-Line
How to Import CA Certificates
or Certificate Chains into the CA Certificate Truststore
How to Create a Client Certificate
CSR for an SGD server
How to Install a Client Certificate
for an SGD Server
Backing Up and Restoring an SGD Installation
How to Make a Full Backup of an SGD
Installation
Restoring a Damaged SGD Component
How to Do a Full Restore of an SGD
Installation
Troubleshooting Arrays and Load Balancing
Troubleshooting Advanced Load Management
The Load Balancing Service Is Not Working
SGD Ignores an Application Server Load Balancing Properties File
One of the Application Servers Is Never Picked
One of the Application Servers Is Always Picked
Two Identical Application Servers, But One Runs More Applications Than the Other
The SGD Server Log File Shows an Update Received for an Unknown ID
SGD Uses Too Much Network Bandwidth
Users Cannot Connect to an SGD Server When It Is In Firewall Traversal Mode
Users Cannot Relocate Their Sessions
Secure Global Desktop Authentication Tab
Use Default Third-Party Identity
Use Closest Matching LDAP Profile
Search Unix User ID in Local Repository
Search Unix Group ID in Local Repository
Active Directory Default Domain
Application Authentication Tab
Timeout for User Session Resumability
Timeout for General Resumability
Resource Synchronization Service
Windows Internet Naming Service (WINS)
Client’s Clipboard Security Level
Make Universal PDF Printer the Default
Make Universal PDF Viewer the Default
Application Session Load Balancing
Timeout for Print Name Mapping
Adding Entries to the Password Cache
Secure Global Desktop Server Settings
Secure Global Desktop Servers Tab
The Secure Global Desktop Server List Table
Maximum Simultaneous User Sessions
Daily Resource Synchronization Time
Smart Card Protocol Engine Tab
The Application Session List Table
User Profiles, Applications, and Application Servers
Directory: Organization Object
Directory: Organizational Unit Object
Directory (Light): Active Directory Container Object
Directory (Light): Domain Component Object
Application Resumability: Timeout
Connection Method: ssh Arguments
Copy and Paste: Application’s Clipboard Security Level
Hosting Application Servers Tab
Inherit Assigned Applications from Parent
Make Universal PDF Printer the Default
Make Universal PDF Viewer the Default
Share Resources Between Similar Sessions
Window Size: Client’s Maximum Size
Window Size: Scale to Fit Window
Window Type: New Browser Window
Windows Protocol: Try Running From Client First
The tarantella archive Command
The tarantella emulatorsession Command
tarantella emulatorsession list
tarantella emulatorsession info
tarantella emulatorsession shadow
tarantella emulatorsession suspend
tarantella emulatorsession end
The tarantella license Command
tarantella object list_attributes
tarantella object list_contents
tarantella object new_container
tarantella object new_windowsapp
tarantella object remove_member
The tarantella passcache Command
The tarantella restart Command
The tarantella security Command
tarantella security certrequest
tarantella security decryptkey
tarantella security fingerprint
The tarantella tokencache Command
The tarantella uninstall Command
The tarantella version Command
The tarantella webserver Command
tarantella webserver add_trusted_user
tarantella webserver delete_trusted_user
tarantella webserver list_trusted_users
The tarantella webtopsession Command
tarantella webtopsession logout
Login Scripts Supplied With SGD
Login Scripts Used When Configuring Applications
Login Scripts Containing Common Code
Login Script Tcl Commands and Procedures
Controlling the SGD Application Authentication Dialog
Controlling the SGD Progress Dialog
Controlling the Connection to the Application Server
Guaranteed Login Script Variables
Optional Login Script Variables
Copyright © 2008, Sun Microsystems, Inc. All rights reserved.