C H A P T E R 4 |
This chapter describes how to log in to Sun Secure Global Desktop (SGD) and get started using the software.
SGD supports several mechanisms for authenticating users. By default, any user with an account on the SGD host can log in to SGD using their UNIX or Linux system user name and password.
To use SGD, you need the SGD Client and a supported browser. Usually the SGD Client is installed automatically when you log in. To perform an automatic installation, the browser must have a supported Java Plug-in tool and Java technology must be enabled. If you are using Internet Explorer on Microsoft Windows Vista platforms, you must also add the Uniform Resource Locator (URL) of the SGD server to the list of Trusted Sites in Internet Explorer’s Security Settings.
If your browser does not have Java technology, you must manually install the SGD Client and then connect to SGD. See Installing the SGD Client Manually.
To use SGD with a browser, the browser must have JavaScript technology enabled.
Using a browser, go to http://server.example.com where server.example.com is the name of an SGD server.
The SGD Web Server Welcome Page is displayed, as shown in FIGURE 4-1.
(Optional) Select your preferred language.
The SGD Login Page is displayed, as shown in FIGURE 4-2.
When you install SGD, SGD creates a default SGD Administrator with the user name “Administrator”. This user authenticates using the password of the UNIX or Linux system root user on the host.
Type Administrator for the Username and the superuser (root) password for the Password.
If a Java technology security message displays, click Run to install the SGD Client.
The Untrusted Initial Connection message is displayed. See FIGURE 4-3.
Check the Untrusted Initial Connection message.
The Untrusted Initial Connection message is a security measure to ensure the SGD Client only connects to trusted hosts. The message gives you the opportunity to check the host name and server certificate details before agreeing to the connection. The message displays only once for each SGD server to which you connect.
Check that the host details are correct. If they are, click Yes. If they are not, click No.
The webtop for the Administrator user is displayed, as shown in FIGURE 4-4.
The SGD Client icon is displayed in the task bar. See FIGURE 4-5.
The webtop lists the applications and documents you access through SGD, including the SGD administration tools.
The webtop lists some sample applications that the SGD installation program found on the host so that you can start using SGD.
To run an application, click its link on the webtop, as shown in FIGURE 4-6.
When you start an application, you might be asked for a user name and password. This is authentication information for the application server which is running the application. These details can be cached securely so you do not need to enter them more than once for each application server.
SGD Administrators configure how applications appear. Some applications might appear full‐screen with no window decoration, and others in a window that behaves in the same way as a window on the client device.
When an application is running, a triangle appears in front of the application's name on the webtop and a number appears in brackets after it. The session toolbar also appears below the application name, as shown in FIGURE 4-7.
The number in brackets is the number of separate instances of the application you have started. SGD Administrators configure how many simultaneous instances of an application that you can run.
Some applications can be configured to keep running even when they are not displayed. These are “resumable” applications. To close an application's window without ending the application, you suspend the application. To display the window again and start using the application, you resume the application.
There is a separate session toolbar for each running instance of the application, which you use as follows:
Click the triangle to hide and show the session toolbars for the application sessions, as shown in FIGURE 4-8.
You can manage all your application sessions at once from the links at the top of the Applications area. You use these links as follows:
Applications can have one of three resumability settings.
Resumable applications are useful for the following reasons:
If you click the Edit button in the Applications area of the webtop, you can change your settings.
On the Edit Groups tab, you can “personalize” your webtop by arranging your applications into groups. You decide how and when the groups display. Groups are useful for keeping similar applications together or for hiding applications not used very often. Only a SGD Administrator can add an application to, or remove an application from, the list of applications that are available on a user’s webtop.
On the Client Settings tab, you can configure the settings for the SGD Client, for example the proxy server to use, or whether the list of applications you can run displays in the desktop Start or Launch menu. The settings are stored in a profile on the client device.
You must log out of SGD before closing your browser. This enables SGD to shut down any applications that need not run any more and stop the SGD Client.
If you close your browser without logging out, you are not logged out of SGD, because the SGD Client is still running. If you accidentally close the browser, you can only display the webtop by logging in again.
To log out of SGD, click the Logout button on the webtop and click OK when prompted for confirmation.
SGD has the following administration tools:
Administration Console – Enables user and user session management, SGD server configuration, and the configuration of applications for SGD users
Profile Editor – Enables definition of settings for the SGD Client for the users in your organization
tarantella command – Enables control and configuration of SGD from the command line
The Administration Console and the Profile Editor are available on the webtop of SGD Administrators.
To display the Administration Console, you can use any browser that is supported by SGD, apart from Safari. See the Sun Secure Global Desktop 4.41 Administration Guide for details of the supported browsers for SGD. The browser must have the JavaScript programming language enabled.
The Administration Console works best when you run it on the primary SGD server in the array.
To start the Administration Console, you click the link on the webtop.
If you want to run the Administration Console without displaying the webtop, you can run it from the following locations:
http://server.example.com and click the Launch the Secure Global Desktop Administration Console link
where server.example.com is the name of an SGD server.
If you run the Administration Console without displaying a webtop, you are prompted to log in as an SGD Administrator.
When you log in to the Administration Console, the Welcome screen is displayed, as shown in FIGURE 4-9.
The Welcome Screen contains links to information to help you get started. Click Continue to display the Administration Console. The Administration Console opens in Navigation View, as shown in FIGURE 4-10.
Navigation View is the “top‐level” view that enables you to access the tabs for managing the different areas of SGD. The following table summarizes the tabs available in Navigation View and what they are used for.
Tab | Description |
---|---|
Secure Global Desktop Servers | Managing and configuring SGD servers.
If you upgraded from a previous release of SGD, this tab replaces Array Manager. This tab is described in more detail in Managing SGD. |
Sessions | Managing users’ SGD sessions and application
sessions.
If you upgraded from a previous release of SGD, this tab replaces Session Manager. This tab is described in more detail in Monitoring Users. |
User Profiles | Managing and configuring users’ SGD settings.
If you upgraded from a previous release of SGD, this tab replaces Object Manager. This tab is described in more detail in Creating Users. |
Applications | Managing and configuring the applications
that users can run through SGD.
If you upgraded from a previous release of SGD, this tab replaces Object Manager. This tab is described in more detail in Adding Applications to Webtops. |
Application Servers | Managing and configuring the application
servers that run the applications displayed through SGD.
If you upgraded from a previous release of SGD, this tab replaces Object Manager. This tab is described in more detail in Adding Applications to Webtops. |
Global Settings | Configuring settings that apply to SGD
as a whole.
If you upgraded from a previous release of SGD, this tab replaces Array Manager. This tab is described in more detail in Managing SGD. |
Caches | Managing the application server passwords and authentication tokens that SGD has stored. |
SGD is built on the following principles of directory services:
Users, applications, and application servers are represented by objects in a directory. The objects are organized into a organizational hierarchy representing your organization.
Different types of object have different configuration settings, known as attributes.
The relationships between objects are important and have meanings.
SGD includes a number of different object types. When you select an object to work with, the Administration Console changes to Object View. The Administration Console provides links to enable you to switch between Object View and Navigation View, and also an Object History that enables you to switch between the objects you have recently worked with, as shown in FIGURE 4-11.
![]() | Caution - When using the Administration Console, do not use the browser’s Back button. Instead, use the navigation links to move between pages in the Administration Console. |
The User Profiles, Applications, and Application Servers tabs are divided into two sections. On the left is the navigation tree and on the right is the content area, as shown in FIGURE 4-12. The navigation tree only shows the container objects that are used to structure your organizational hierarchy. As you browse and select objects in the navigation tree, the content area displays a list of objects contained in the selected object.
Several of the tabs and screens in the Administration Console have a search field. The search is case insensitive and accepts only the * wildcard character. The search results are displayed in a table and are limited to a maximum of 150 hits.
Most tabs in the Administration Console present information in tables. Often the information in a table cell is a link that can be clicked to display further information.
The tarantella command is a script installed in the install-dir/bin directory. By default, install-dir is /opt/tarantella. As this script is not on the standard PATH, you must use the full path each time you run the command, or change to /opt/tarantella/bin before running the command. Alternatively, do the following:
The tarantella command is actually a family of commands, each of which can have its own set of subcommands. You always run the subcommands through the tarantella command, for example:
# tarantella license list |
Help is available for every command by using the --help command‐line argument.
Many commands are designed so that you can build scripts around them.
The following restrictions apply as to which users can use particular tarantella commands:
Commands that control the SGD server and SGD Web Server can be run only by superuser (root)
Commands for creating and managing arrays of SGD servers can be run only by SGD Administrators
All other commands can be run by any user in the ttaserv group
Use the usermod -G command to make a user a member of the ttaserv group. The ttaserv group does not have to be the user’s primary or effective group.
This section describes how to use the Administration Console to create an SGD user. You do this by creating a user profile object. A user profile is used to control a user’s SGD settings, such as whether they can log in to SGD and the applications that they can run. This section also describes how to make a user an SGD Administrator.
In the Administration Console, the User Profiles tab is where you create and manage user profiles. See FIGURE 4-13.
By default, this tab contains two “top-level” objects, a Directory object called organization (o=organization on the command line) and a Directory (light) object called com (dc=com on the command line). You can rename or delete these objects, or create new top‐level objects. You create all the objects you need for managing users within these top-level object types.
You can use other Directory objects to subdivide your organization. For example, you might want to use a Directory (organizational unit) for each department in your organization.
In this section, you learn how to create a user profile for yourself, and how to make yourself an SGD Administrator. SGD Administrators always have a user profile. Only SGD Administrators can create user profiles.
Users who occupy the Global Administrators role are SGD Administrators. SGD Administrators can configure SGD using any of the SGD administration tools. Users who do not occupy the Global Administrators role have no administration privileges.
The Global Administrators role is an object in the System Objects organization on the User Profiles tab. The Global Administrators role object is used to assign users administrative privileges and to give them access to the administration tools.
After following these procedures, you can log in to SGD using your UNIX or Linux platform user name and password, and run the Administration Console.
You can also use the tarantella object new_person command to create a user profile, and the tarantella role add_member command to add an SGD Administrator.
Select an object in the organizational hierarchy.
Use the navigation tree to select the organization object, as shown in FIGURE 4-14.
You can move your user profile to a different location later if needed.
Create the user profile object.
Ensure that the User Profile option is selected and click Create.
The Create a New Object window closes and the content area is updated with the new object. See FIGURE 4-15.
Click the View New Object link.
The General tab for the user profile displays in Object View. See FIGURE 4-16.
Ensure the Login check box is selected and that the Multiple check box is not selected.
In the User Name field, type your UNIX or Linux platform user name.
This attribute can be used to identify and authenticate users.
In the Email Address field, type your full email address.
For example, rusty.spanner@indigo-insurance.com.
This attribute can be used to identify and authenticate users.
In the navigation tree, click System Objects.
The System Objects table is displayed in the content area, as shown in FIGURE 4-17.
In the System Objects table, click the Global Administrators link.
The Members tab is displayed in Object View, as shown in FIGURE 4-18.
In the Editable Members table, click Add.
The Add User Assignment window is displayed. See FIGURE 4-19.
Use the Search field to find your user profile, or browse the navigation tree.
Select the check box next to your user profile and click Add.
The Members tab is displayed and your user profile is listed in the Editable Members table. See FIGURE 4-20.
This section describes how to use the Administration Console to create an application object that can be displayed through SGD, and how to make a link for starting the application appear on a user’s webtop.
In the Administration Console, the Applications tab is where you configure the applications that users can run through SGD. See FIGURE 4-21. The Application Servers tab is where you configure the application servers that run the applications. See FIGURE 4-22.
Application objects are always contained in the Applications organization (o=applications on the command line). Application server objects are always contained in the Application Servers organization (o=appservers on the command line).
You can use Directory (organizational unit) objects to subdivide these organizations. For example, you might want to use a Directory object to contain the applications used by a particular department. You can also arrange applications and application servers into Groups.
In SGD, there are links or relationships between user profiles, applications, and application servers. The Administration Console calls these links assignments. Each relationship is managed from an assignment tab. For example, user profile objects have an Assigned Applications tab that shows all the application objects that are assigned to the user. These are the applications that display on a user’s webtop. Similarly, application objects have a Hosting Application Servers tab that shows the application servers that can run the application.
Creating and assigning an application object involves the following steps:
Create an application server object.
In this step, you specify the name and location of the application server that runs the application.
In this step, you specify the command that runs when users start the application and how the application is presented.
Assign the application object.
In this step, you assign the application server object to the application object, so that SGD knows where to run the application. Then you assign the application object to an object on the user profiles tab, so that SGD puts a link for the application on a user’s webtop.
Only SGD Administrators can create objects and assign them.
The following procedures describe how to create and assign a Windows application object. The principles are the same for other application types.
On the command line, you can also perform all these steps with the tarantella object family of commands.
In the Administration Console, click the Application Servers tab.
Create the application server object.
Create the application server object directly in the Application Servers organization, as shown in FIGURE 4-22. You can move it to a different location later if needed.
Ensure the Application Server option is selected and click Create.
The Create a New Object window closes and the content area is updated with the new object. See FIGURE 4-23.
Click the View New Object link.
The General tab for the application server object is displayed in Object View, as shown in FIGURE 4-24.
Configure the application server object.
In the Address field, type the fully-qualified DNS name of the application server.
Ensure that the Application Start check box is selected.
This tells SGD that the application server is available to run applications.
In the Domain Name field, type the name of the Microsoft Windows domain.
This attribute is used in the authentication process when users run the application.
In the Administration Console, click the Applications tab.
Create the application object.
Create the application object directly in the Applications organization, as shown in FIGURE 4-25. You can move it to a different location later if needed.
In the Name field, type the name of the application.
The name you type is used for the application link on the webtop.
Ensure that the Windows Application option is selected and click Create.
The Create a New Object window closes and the content area is updated with the new object, as shown in FIGURE 4-26.
Click the View New Object link.
The General tab for the application object displays in Object View.
The configuration settings for a Windows application are described in more detail in the Sun Secure Global Desktop 4.41 Administration Guide. For this example, the default settings are sufficient, apart from the following configuration.
In the Application Command field, type the application command.
For Windows desktop sessions, leave this field blank.
To run a particular application, type the full path of the command that runs the application, for example, C:\Windows\notepad.exe.
The application must be installed in the same location on all application servers.
Ensure that the Try Running from Application Server check box is selected and that the Microsoft RDP Protocol option is selected.
In the Administration Console, click the Applications tab and select the application object.
Specify the application servers that can run the application.
Click the Hosting Application Servers tab. See FIGURE 4-29.
In the Editable Assignments table, click Add.
The Add Application Server Assignment window displays. See FIGURE 4-30.
Locate the application server.
Use the Search field to find the application server object, or browse the navigation tree.
Select the check box next to the application server object and click Add
If you select more than one application server object, SGD load balances between application servers.
If you select a group object containing application server objects, you select all the application server objects in that group.
The Effective Application Servers table is updated with the selected application server object, as shown in FIGURE 4-31.
Specify the users that see the application on their webtop.
Click the Assigned User Profiles Tab. See FIGURE 4-32.
In the Editable Assignments table, click Add.
The Add User Assignment window displays, as shown in FIGURE 4-33.
Use the Search field to find the user profile, or browse the navigation tree.
You can assign an application object to a user profile or directory object.
If you assign an application object to a directory object, all the user profiles contained in that directory object automatically receive the application. This is called inheritance. Assigning an application object to directory objects is more efficient.
Select the check box next to your user profile and click Add.
The Effective User Profiles table is updated with the selected users. See FIGURE 4-34.
Check that the application appears on your webtop.
You might have to log out and log in using your UNIX or Linux system user name and password to see the application on your webtop.
In the Administration Console, the Global Settings tab is where you configure the settings that apply to SGD as a whole. See FIGURE 4-35.
The Global Settings tab contains other tabs for configuring and managing SGD. For example, the Secure Global Desktop Authentication tab is where you configure how users authenticate to SGD.
In the Administration Console, the Secure Global Desktop Servers tab is where you manage individual SGD servers. See FIGURE 4-36.
The Secure Global Desktop Servers tab shows you the status of an SGD server, whether it is running, how many user sessions there are, and how many application sessions the server is hosting.
When you click on the name of an SGD server in the Secure Global Desktop Servers List table, the Administration Console displays further tabs in Object View. You use these tabs to configure and manage the selected SGD server. See FIGURE 4-37.
On the command line, you use the tarantella config command to configure global settings and SGD servers. The Sun Secure Global Desktop 4.41 Administration Guide has details of all the command-line arguments.
The Secure Global Desktop Servers tab enables you to group SGD servers together to form an array. An array is a collection of SGD servers that share configuration information.
An array contains the following:
One primary server – This server is the authoritative source for global SGD information, and maintains the definitive copy of the organizational hierarchy
One or more secondary servers – The primary server replicates information to these servers
A single, standalone server is considered to be the primary server in an array with no secondary servers.
SGD servers in an array might run different operating systems. However, all the array members must run the same version of SGD.
While you are evaluating SGD you are limited to an array containing a maximum of two SGD servers. Once you install a license key, this restriction is removed.
Arrays have the following benefits:
User sessions and application sessions are load-balanced across the array. To scale more users, simply add more SGD servers to the array.
With more than one server, there is no single point of failure. You can decommission a server temporarily with the minimum of disruption to your users.
Configuration information, including all the objects in your organizational hierarchy, is replicated to all array members. All array members have access to all information.
Users see the same webtop and can resume applications no matter which SGD server they log in to.
You add an SGD server to an array by clicking Add in the Secure Global Desktop Servers List table.
You can keep track of what your users are doing by monitoring the user sessions and application sessions in progress. User sessions and application sessions are always associated with a user identity and a user profile. The user identity is the unique authenticated identity of the user. The user profile is the SGD user profile object that contains the user’s settings.
A user session begins when a user logs in to SGD and ends when a user logs out. User sessions are hosted by the SGD server the user logs in to. User sessions can be standard sessions or secure sessions. Secure sessions are only available when SGD security services are enabled.
If a user logs in and they already have a user session, the user session is transferred to the new SGD server and the old session ends. This is sometimes called session grabbing, or session moving.
In the Administration Console, you can list user sessions as follows:
The Sessions tab, in Navigation View, shows all the user sessions that are running on all SGD servers in the array.
The User Sessions tab for an SGD server shows all the user sessions that are hosted by that server.
The User Sessions tab for a user profile shows all the user sessions associated with the user profile.
On the Sessions tab and the User Sessions tabs, you can select and end user sessions. On the User Sessions tabs, you can view further details about the user session, for example the information the SGD Client detects about the client device.
On the command line, you use the tarantella webtopsession command to list and end user sessions.
An application session begins when a user starts an application and ends when the application exits. Each application session corresponds to an application currently running through SGD. Application sessions can be running or suspended.
An application session can be hosted by any SGD server in the array. This might not be the same SGD server that the user logged in to.
In the Administration Console you can list application sessions as follows:
The Application Sessions tab for an SGD server shows all the application sessions that are hosted by that server.
The Application Sessions tab for a user profile shows all the application sessions associated with the user profile.
The Application Sessions tab for an application server shows all the applications that are running on that application server.
On the Applications Sessions tabs, you can view further details about an application session. You can also end and shadow application sessions. With shadowing, you and the user see and interact with the application at the same time.
Note - You can only shadow Windows applications and X applications, and the application sessions must not be suspended. |
On the command line, you use the tarantella emulatorsession command to list and end application sessions.
To control SGD from the command line, use the tarantella start, tarantella stop, and tarantella restart commands.
You control an SGD server and the SGD Web Server with the following commands:
tarantella start – Starts the SGD Web Server and the SGD server
tarantella stop – Stops the SGD Web Server and the SGD server
tarantella restart – Stops and then restarts the SGD Web Server and the SGD server
Subcommands for the tarantella start, tarantella stop, and tarantella restart commands enable you to control individual components of SGD, as follows:
The sgd subcommand controls the SGD server. The following example starts SGD services on a host, including printing services.
# tarantella start sgd |
The webserver subcommand controls the SGD Web Server. The following example stops and then restarts the SGD Web Server.
# tarantella restart webserver |
See the Sun Secure Global Desktop 4.41 Administration Guide for more information about the available subcommands and options for the tarantella stop, tarantella start, and tarantella restart commands.
This section describes how you control the SGD Enhancement Module.
When you install the SGD Enhancement Module for Microsoft Windows, the load balancing service starts immediately. The load balancing service also starts automatically whenever the Windows host is rebooted.
When you install the SGD Enhancement Module for UNIX and Linux Platforms, the load balancing and UNIX audio processes start immediately. The client drive mapping processes have to be started manually because extra configuration is required.
Whenever the host is rebooted, all the Enhancement Module processes are started automatically.
On UNIX and Linux platforms, you can control the Enhancement Module processes manually with the tem command. The tem command is a script installed in the install-dir/bin directory. By default, install-dir is /opt/tta_tem. As this script is not on the standard PATH, you must use the full path each time you run the command, or change to /opt/tta_tem/bin before running the command. Alternatively, do the following:
You control the Enhancement Module processes manually by running the following commands as superuser (root):
Use the tem status command to show the status of the various modules in the Enhancement Module.
SGD is built around a three-tier network architecture model, consisting of the following tiers:
Different tiers can reside on the same host. For example, a single UNIX platform host can act as both an SGD server and an application server, but the tiers remain logically independent.
The first tier contains client devices. A client device is a piece of hardware that can communicate with SGD using a browser and the SGD Client.
The browser communicates with the SGD Web Server on the second tier and displays the webtop to users.
The SGD Client communicates with SGD servers on the second tier and displays the applications that users run.
The Adaptive Internet Protocol (AIP) ensures optimal network usage between the first and second tiers.
The second tier contains SGD servers, which act as a gateway between the first and third tiers. This tier might contain a single SGD server, or many SGD servers configured to form an array.
The third tier contains application servers that run users’ applications.
When a user clicks a link on their webtop, SGD starts the application on an appropriate application server. Output from the application is redirected by the SGD server from the application server to the client device.
When you tell SGD about an application, you include information about all the application servers that can run the application. SGD load balances between the application servers.
By default, SGD installs in a 30-day evaluation mode. During the evaluation period, the following restrictions apply:
After 30 days, the SGD server no longer permits users to log in.
To continue using SGD, you must add a license key. You can add license keys in the following places:
# tarantella license add license-key |
The following information is essential to help people use SGD:
Users need to know the login URL. Use http://server.example.com/sgd, where server.example.com is the name of an SGD server.
Users need to know what user name and password to type to log in to SGD.
SGD supports several mechanisms for authenticating users. The user names and passwords depend on the enabled authentication mechanisms. By default, users can log in with their UNIX or Linux system user name and password.
If your organization prefers not to use Java technology, users need to be shown how to download and install the SGD Client manually. See Installing the SGD Client Manually for details.
Users need to know how to start and stop applications.
The applications users can access through SGD might run on many different application servers. When a user clicks a link to start an application, SGD might prompt them for a user name and password for the application server. Users need to know what user names and passwords to use.
All users have a link to the Sun Secure Global Desktop 4.41 User Guide on their webtop. Click Help.
On the webtop, click Help to display the Sun Secure Global Desktop 4.41 Administration Guide. This is the online documentation for configuring and running SGD. Online help is also available in the Administration Console.
Documentation in Hypertext Markup Language (HTML) and Portable Document Format (PDF) formats is also available from the following locations:
You can also discuss technical issues at the SGD forum on Sun Developer Network http://forum.java.sun.com/forum.jspa?forumID=815.
Copyright © 2008, Sun Microsystems, Inc. All rights reserved.