C H A P T E R 2 |
This section describes the features that are new in the Sun Secure Global Desktop Software 4.40 release.
The SGD administration tools, Object Manager, Array Manager, Configuration Wizard, and Session Manager have been replaced by the SGD Administration Console. The SGD Administration Console is a web application. The Administration Console can be used by SGD Administrators to configure SGD.
The Administration Console is localized into the languages supported by SGD: English, French, Japanese, Korean, Simplified Chinese, and Traditional Chinese.
To use the Administration Console, your browser must have JavaScript enabled.
Wherever possible, run the Administration Console on the primary server in the SGD array. Some operations, for example, creating new objects or editing object attributes, are best done on the primary server. If you perform these operations on a secondary server and the primary server is not running, your changes are not implemented.
You can start the Administration Console in one of the following ways:
Click the Administration Console link on the webtop of an SGD Administrator.
Click the Launch the Sun Secure Global Desktop Administration Console link on the SGD Web Server Welcome Page at http://server.example.com, where server.example.com is the name of an SGD server.
Go to http://server.example.com/sgdadmin, where server.example.com is the name of an SGD server.
See the Sun Secure Global Desktop 4.4 Administration Guide and the Sun Secure Global Desktop 4.4 Reference Manual for more details about the Administration Console.
The Administration Console uses different terminology compared to previous SGD releases.
The following table lists some common terms used in version 4.31 and the corresponding term used in the Administration Console.
SGD Version 4.31 | Administration Console |
---|---|
array member | SGD server |
browser-based webtop | webtop |
emulator session | application session |
Enterprise Naming Scheme (ENS) | local repository |
ENS equivalent name | user profile |
Fully Qualified Name | user identity |
host | application server |
intelligent array routing | load balancing group |
login authority | system authentication |
login profile | user profile |
person object | user profile object |
Tarantella Federated Naming (TFN) | Not used |
webtop session | user session |
The Desktop Direct Uniform Resource Locator (URL) enables users to log in and display a full-screen desktop without displaying a webtop.
To be able to use the Desktop Direct URL, the user must be assigned an application object called My Desktop (cn=My Desktop). This object is created automatically when SGD is installed. By default, the object is configured to run the default desktop application available on the SGD server, for example, the Sun Java Desktop System. You can reconfigure this object to run any application you want, but it works best with full-screen desktop applications. If users require different desktop applications, you can create additional My Desktop objects as required. However, users must be assigned only one My Desktop application.
Note - Users can be assigned any number of applications, but the Desktop Direct URL only gives users access to the My Desktop application. |
The Desktop Direct URL is http://server.example.com/sgd/mydesktop, where server.example.com is the name of an SGD server. This URL displays the SGD Login page. Once the user has logged in, the desktop session displays and the web browser can be closed.
Note - There are no controls for suspending or resuming the desktop application. Users must log out of the desktop application as normal. |
Users with Microsoft Windows client devices can have roaming user profiles. Roaming user profiles provide the user with the same working environment, no matter which Microsoft Windows computer they use. If Microsoft Windows users have roaming user profiles, the SGD client profile is automatically adjusted to allow for this, as follows:
Settings specific to the user’s client device, for example the proxy server configuration, are stored on the client device.
By default, this is homedrive\Documents and Settings\username\Local Settings\Application Data\Sun\SSGD\profile.xml
Settings specific to the user, for example the preferred language, are stored in the location of the roaming user profile.
Usually, this is homedrive\Documents and Settings\username\Application Data\Sun\SSGD\profile.xml
Note - This location also contains the user’s hostsvisited and certstore.pem files. |
The following settings from the SGD client profile are stored in the location of the user’s roaming profile:
Client Profile Setting | Roaming Profile Entry |
---|---|
Login URL | <url> |
Add Applications to Start Menu | <mode> |
Automatic Client Login | <autologin> |
Connect on System Login | <autostart> |
Connection Failure | <reconnect mode> |
SGD Administrators can now configure an automatic timeout for idle user sessions.
The timeout enables user sessions to be suspended if there has been no application session or webtop activity for a specified time period. The timeout applies to all SGD servers in the array.
This timeout is only configurable from the command line. You cannot edit the timeout value using the Administration Console.
You configure the timeout with the following command:
$ tarantella config edit \ ‐‐tarantella-config-array-webtopsessionidletimeout secs |
Replace secs with the timeout value, measured in seconds.
A setting of 0 turns off the user session idle timeout feature. This is the default setting.
In the following example, user sessions are suspended after 1800 seconds (30 minutes) of inactivity.
$ tarantella config edit \ ‐‐tarantella-config-array-webtopsessionidletimeout 1800 |
You can now specify a netmask filter when setting the following attributes:
The netmask filter takes the format v.w.x.y/z. The previous “wildcard” type filters are still supported.
The following example uses a netmask filter to specify external DNS names.
$ tarantella config edit ‐‐server-dns-external \ "192.168.55.0/24:boston.indigo-insurance.com" |
A new Window Management Keys (--remotewindowkeys) attribute is available for the following object types:
Using this attribute, keyboard shortcuts that deal with window management can either be sent to the remote session or acted on locally. This setting is only effective for applications having a Window Type setting of Kiosk mode.
To exit Kiosk mode when this attribute is enabled, use the key sequence Alt+Ctrl+Shift+Space. This minimizes the kiosk session on the local desktop.
By default, the Windows key is now enabled in SGD Windows Terminal Services sessions. The default setting for the SGD Terminal Services Client (ttatsc) -windowskey option is on. You can change this option using the Arguments for Protocol (--protoargs) attribute on the Windows application object.
SGD runs on Solaris 10 OS Trusted Extensions with the following known limitations:
SGD must be installed to a labelled zone. See the Sun Secure Global Desktop 4.4 Installation Guide for more information about installing SGD on Solaris 10 OS Trusted Extensions.
Client drive mapping is not supported for UNIX platform client devices [6610354].
Audio is not supported for UNIX platform applications [6610352].
Integrated mode is not supported for Solaris 10 OS Trusted Extensions client platforms [6610371].
Kiosk mode display for applications does not provide the best user experience for Solaris 10 OS Trusted Extensions client platforms [6594795].
The Administration Console can be used to globally manage passwords and tokens for all users of SGD.
You can now manage passwords and tokens by user identity or by user profile. Previously, the Object Manager administration tool only supported management of passwords and tokens by user profile.
If an SGD server has multiple DNS names, for example, it is known by different names inside and outside a firewall, you can specify the additional DNS names as subject alternative names when generating a Certificate Signing Request (CSR). This enables you to associate more than one DNS name with a server certificate.
The tarantella security certrequest command now prompts you to enter subject alternative names when generating a CSR.
The subject alternative names for a certificate can be displayed using the tarantella security certinfo command.
A new Time Zone Map File attribute (--xpe-tzmapfile) is available.
The attribute enables you to specify a file that contains mappings between UNIX client device and Microsoft Windows application server time zone names. The attribute applies to all SGD servers in the array.
SGD version 4.40.917 and later supports Session Directory for Windows Terminal Services sessions running on Microsoft Windows Server 2003.
Session Directory can be used instead of SGD to handle session resumability for Windows applications. Session Directory is a database that keeps track of which users are running which sessions on which Windows application server.
Using Session Directory enables SGD users to reconnect automatically to their Windows session.
See Session Directory for Windows Terminal Services for more details about using Session Directory with SGD.
This section describes the features that are new in the Sun Secure Global Desktop Software 4.31 release.
SGD Administrators can now enable sound in X applications accessed using SGD.
To hear sound in X applications, the following conditions must be met:
The UNIX audio module of the SGD Enhancement Module must be installed and running on the application server.
The X application must output sound using the Open Sound System (OSS). If your system uses the Advanced Linux Sound Architecture (ALSA), you might have to enable the ALSA OSS emulation modules in the kernel.
The SGD UNIX audio service must be enabled in the Administration Console. The service is disabled by default.
The UNIX audio module contains an OSS audio driver emulator. The audio driver emulator is installed in the kernel when you install the UNIX audio module of the SGD Enhancement Module.
Note - As the UNIX audio module includes an audio driver emulator, the application server itself does not actually need to have a sound card. |
Some X applications are hard-coded to use the /dev/audio or /dev/dsp devices for audio output. A new attribute for X application objects, Audio Redirection Library (--unixaudiopreload), enables an SGD audio redirection library to force the X application to use the SGD audio device.
Microsoft Windows Vista includes the Remote Desktop feature that enables you to access a computer using the Remote Desktop Protocol. You can now use SGD and Remote Desktop, for example, to give users to access their office PC when they are out of the office. Only full Windows desktop sessions are supported.
You can also install the SGD Enhancement Module on Microsoft Windows Vista client devices to provide support for client drive mapping. Advanced load balancing and seamless windows are not supported.
This section describes the features that are new in the Sun Secure Global Desktop Software 4.30 release.
The SGD Client can now operate in either of the following modes:
Webtop mode - Uses a web browser to display the webtop in the same way as previous releases. This is the default mode.
Integrated mode - The webtop content (the links for starting applications) displays in the desktop Start or Launch menu so that users can run remote applications in the same way as local applications. Depending on how you configure Start or Launch menu integration, you might not need to use a web browser.
Note - Use Integrated mode if your organization prefers not to use Java technology on the client device. |
To use Integrated mode, you must log in to SGD using the Login link on the desktop Start or Launch menu. Integrated mode is not available if you start a web browser and log in.
Working in Integrated mode simplifies session management. Unlike the webtop, it has no controls for suspending and resuming applications. Instead, when you log out, the Client automatically suspends or ends all running application sessions. When you log in again, the Client automatically resumes all suspended sessions.
Printing is also simplified. Printing is always “on” and print jobs go straight to the selected printer. Unlike the webtop, print jobs cannot be managed individually.
If you need to display a webtop, for example to resume a suspended application or manage printing, you click the Webtop link on the Start or Launch menu. The webtop displays in your default web browser.
If you configure the webtop content to display in groups, those groups are also used in the Start or Launch menu. If the group is configured to hide webtop content, the content does not display in the Start or Launch menu.
To log out of SGD, you click the Logout link on the Start or Launch menu.
For details of the desktop systems that can be used with Integrated mode, see Client Requirements.
You can now configure the SGD Client to start automatically when a user logs in to their client device. The SGD Client can also cache an authentication token that enables a user to start a user session automatically without having to log in manually. When the SGD Client is configured in this way, users experience the benefits of a single sign-on.
Automatic login is achieved using authentication token authentication. If the SGD Client presents a valid authentication token, the user is authenticated automatically to SGD. To obtain an authentication token, users must perform an initial log in using a web browser and then manually generate the authentication token by editing their client profile. A separate token is needed for each SGD server the user connects to.
The desktop Start or Launch menu and single sign-on features mean that the SGD Client requires some configuration to connect to SGD. Not only that, different configurations might be needed in different situations, for example because the user is in the office or working at home. To be able to manage multiple Client configurations, version 4.3 introduces client profiles as the method for storing a group of SGD Client settings. Each client profile enables you to configure the following:
The operating mode of the SGD Client, whether Webtop mode or Integrated mode
Whether the SGD Client starts automatically when the user logs in to their client device
Proxy server configuration, whether the settings are configured manually in the profile or determined automatically from the web browser
Reconnection settings for controlling what happens when the SGD Client loses its connection to SGD
Logging settings for controlling what information is written to the SGD Client log file
The path to the PDF viewer used for PDF printing on Solaris OS, Linux, and Mac OS X clients
SGD Administrators have full control over client profiles. On an Administrator's webtop there is a new administration tool, Profile Editor. With the Profile Editor, Administrators can create and edit client profiles for organization, organizational unit (OU) objects, and for profile objects in the Tarantella System Objects organization. By defining client profiles for these objects, Administrators can deploy common default SGD Client configurations to users.
Administrators can control whether users can create and edit their own client profiles. User profile editing can be enabled globally, for an organization, for an OU, or for individual users. By default, user profile editing is enabled. Users create and edit profiles from the Edit button on their webtop.
SGD has a system-wide default profile that is configured to give users the standard webtop behavior available in previous releases. Administrators can edit this profile.
When the SGD Client connects to SGD, the profile configured for the user is copied from SGD to the client device. If a user edits their profile, the changes are stored only on the client device.
When connecting to SGD from different locations, the SGD Client often needs different client proxy server settings. Ensuring that users have the correct proxy settings can also be difficult to administer. Version 4.3 introduces mobile proxy server configuration. With mobile proxy server configuration, the SGD Client uses the settings in the client profile to determine the proxy server settings. The proxy server settings can be specified as follows:
Manually. The proxy settings are stored in the client profile itself.
Automatically. The proxy settings are obtained from the user’s default web browser.
If the SGD Client is running in Integrated mode and configured to use the web browser settings, the SGD Client obtains the proxy settings by loading the URL specified in the profile in the user’s default web browser. As the SGD Client caches the settings it obtains, the SGD Client can be configured to use the settings in the cache so that the user’s default web browser only has to be started once.
Note - To determine the proxy settings from a web browser, the web browser must have Java technology enabled. |
The command line for the SGD Client on all platforms has been enhanced to support client profiles. You can use arguments to specify the following:
With the enhancements to the command line, you can create your own scripts for starting the SGD Client and for running single applications.
To support running the SGD Client in Integrated mode, or in environments that have web browsers without Java technology enabled, you can download and install the SGD Client manually. You download the SGD Client from an SGD server at http://server.example.com, where server.example.com is the name of an SGD server. Click Install the Sun SGD Client to install the SGD Client.
This release includes a new X server, based on X11R6.8.2. The new X server delivers significant speed and bandwidth improvements when compared to version 4.2.
The updated server supports the following X extensions:
The new X server also includes support for some additional X fonts. The Speedo font is no longer available.
X application objects have a new X Security Extension attribute (--securityextension) that enables the X Security Extension for an application. If you need to run an X application from an application server that might not be secure, enable the X Security Extension and run the application in untrusted mode. This restricts the operations that the X application can perform in the X server and protects the display. X security only works with versions of SSH that support the -Y option. For OpenSSH, this is version 3.8 or later.
The SGD Client on UNIX platform, Linux, and Mac OS X client devices now supports PDF printing. On these clients, printing to an SGD PDF printer causes the document to be displayed in a PDF viewer where the file can be saved or printed. By default SGD supports the following PDF viewers.
Client Platform | Default PDF Viewer |
---|---|
Solaris OS on SPARC technology platforms | Adobe Reader (acroread) |
Solaris OS on x86 platforms | GNOME PDF Viewer (gpdf) |
Linux | GNOME PDF Viewer (gpdf) |
Mac OS X | Preview.app |
To be able to use a default viewer, the application must be on the user’s PATH.
If an alternative PDF viewer is preferred, the full path to the alternative viewer can be specified in the client profile used by the SGD Client.
PDF printing on Microsoft Windows client devices is unchanged.
Client drive mapping (CDM) is now available for UNIX platform and Linux applications.
When you enable client drive mapping in the Administration Console, this enables client drive mapping for UNIX platform, Linux, and Windows applications.
The attributes for managing access rights to client drives available for organization, organizational unit and user profile objects apply only to Windows client devices regardless of whether they are connected to Windows, UNIX platform, or Linux applications.
The drives that are mapped for UNIX platform, Linux, and Mac OS X client devices are controlled by entries in the user’s configuration file, $HOME/.tarantella/native-cdm-config.
For client drive mapping to be available for UNIX platform and Linux applications, the following conditions must be met:
The SGD Enhancement Module must be installed and running on the UNIX platform or Linux application server. Currently you have to manually start the client drive mapping service with the /opt/tta_tem/bin/tem startcdm command.
The application server must have an Network File System (NFS) server installed and running. The NFS server must export a directory to be used for client drive mapping. By default, this is /smb. It is possible to specify a different directory in the /opt/tta_tem/etc/client.prf file. The entry in this file has the format NFS_server/mount/mountpoint.
The SGD client drive mapping service must be started in the array using the tarantella start cdm command.
The access rights to client drives must be configured using the Administration Console (for Windows clients) and in the user’s configuration file (UNIX platform, Linux, and Mac OS X clients).
When client drive mapping is enabled, the user’s client drives or file systems are available by default in the My SGD drives directory in the user’s home directory. The My SGD drives directory is a symbolic link to the NFS share that is used for client drive mapping.
Users running Windows applications on a Windows Terminal Server can now access the serial ports on their client device.
To be able to access a serial port, the following conditions must be met:
COM port mapping must be enabled in the Terminal Services Configuration (it is by default).
Serial port mapping must be enabled in the Global Settings ⇒ Client Device tab of the Administration Console (it is by default).
Access to serial ports must enabled for either an organization, an organizational unit or a user profile object. Access permissions can be inherited.
SGD clients must be able to enumerate the serial ports on client devices. The Sun Secure Global Desktop 4.4 Administration Guide has details of how to map serial ports.
Users must have read-write access to the serial ports that they want to access.
Serial port mapping is available to the SGD Client running on Windows, Solaris platform, and Linux client devices.
Microsoft Windows XP Professional includes the Remote Desktop feature that enables you to access a computer using the Remote Desktop Protocol. You can now use SGD and Remote Desktop, for example, to give users to access their office PC when they are out of the office. Only full Windows desktop sessions are supported.
You can also install the SGD Enhancement Module on Microsoft Windows XP Professional client devices to provide support for client drive mapping. Advanced load balancing and seamless windows are not supported.
The SGD Terminal Services Client (ttatsc) now supports an additional -console option that enables you to connect to the console session with Windows Server 2003 Terminal Services.
You can specify this option with the Arguments for Protocol (--protoargs) attribute of the Windows application object.
The initial connection between an SGD Client and an SGD server is now secured with SSL. However, after the user logs in, the connection is downgraded to a standard connection. To be able to use SSL permanently for connections to SGD, you must enable SGD security services.
TCP Port 5307 is used for SSL-based connections between SGD Clients and SGD. You might have to open this port in your firewall to allow SGD Clients to connect.
SGD has an array routes feature that enables you to configure server-side SOCKS proxy servers. You configure array routes with the following command:
$ tarantella config edit \ ‐‐tarantella-config-array-netservice-proxy-routes route... |
If a route includes the :ssl option, you must configure the SGD SSL Daemon to accept unencrypted connections using the SSL Accelerator Support attribute on the Secure Global Desktop Server Settings ⇒ Security tab of the Administration Console, or with the following command:
$ tarantella config edit --security-acceptplaintext 1 |
As the SGD Client can now start and log in automatically, it is vital that users only connect to an SGD server that is trusted. In this release, users must explicitly authorize the connection to SGD.
When a user connects to SGD for the first time, they see an Untrusted Initial Connection warning message that asks them whether they really want to connect to the SGD server. The message displays the host name and fingerprint of the security certificate for the server they are connecting to. Users should check these details before clicking Yes. Once a user agrees to the connection, they are not prompted again unless there is a problem.
To ensure that users only connect to SGD servers that are trusted, SGD Administrators must do the following:
Provide users with a list of host names and fingerprints for the servers that are trusted. Use the tarantella security fingerprint command on each member of the array to obtain a list of fingerprints.
Explain to users the security implications of agreeing to connect to server.
In a fresh installation, each SGD server has its own self-signed security certificate. Administrators must obtain and install a valid X.509 certificate for each SGD server.
SGD Administrators now have control over copy and paste operations in Windows and X application sessions. Administrators can configure copy and paste as follows:
Copy and paste for SGD as a whole can be enabled or disabled.
Copy and paste can be enabled or disabled for organization, organizational unit, or user profile objects. This gives Administrators control over who is allowed to copy and paste.
Applications can be assigned a Clipboard Security Level. Data can only be copied if the target application (the application receiving the data) has the same Clipboard Security Level or higher as the source application. This enables Administrators to secure the data available through particular applications.
The SGD Client can be assigned a Clipboard Security Level. Data can only be copied to applications running on the client device if the SGD Client has the same Clipboard Security Level or higher as the source application. This enables Administrators to secure the flow of data outside of SGD.
If a user attempts a copy and paste operation that is not permitted, for example because of differing security levels, they paste the following message instead of the copied data:
Sun SGD Software: Copied data not available to this application
As well as using RSA SecurID to authenticate users to SGD, you can use SecurID for application server authentication when launching X and character applications.
To use SecurID authentication, first ensure that users can log in to the application server using SecurID before introducing SGD. When you are ready to use SecurID authentication, configure the application to use the securid.exp login script.
Version 4.3 contains localized user interfaces for the following languages:
By visiting a different URL, or selecting a language on the SGD Web Server Welcome Page (http://server.example.com, where server.example.com is the name of an SGD server), users can run a webtop in their preferred language. The SGD Client can also be started in a preferred language.
The Administration Console tool is localized into the same languages as the user interface.
The following table lists the translations of SGD Documentation that are available.
Language | Release Notes | Installation Guide | Administration Guide | Reference Manual | User Guide |
---|---|---|---|---|---|
French | Yes | Yes | No | No | Yes |
Japanese | Yes | Yes | Yes | Yes | Yes |
Korean | Yes | Yes | No | No | Yes |
Simplified Chinese | Yes | Yes | No | No | Yes |
Traditional Chinese | Yes | Yes | No | No | Yes |
The Expect scripts used to start applications on application servers are enhanced to support system prompts in different languages. By default, the languages supported by SGD are supported.
To enable the Expect scripts to work with system prompts in different languages, a new Prompt Locale (--hostlocale) attribute on application server objects enables you to specify the locale of the application server.
This section describes the changes since the Sun Secure Global Desktop Software 4.31 release.
For this release, the following changes to the supported installation platforms for SGD are applicable:
Solaris 10 OS Trusted Extensions on SPARC and x86 platforms is now supported. See Support for Solaris 10 OS Trusted Extensions for more details.
Fedora Linux 7 (Intel x86 32-bit) is now supported. Fedora Core 6 is no longer a supported platform.
See Chapter 1 for more information about supported platforms for this release.
SGD version 4.31 was the last release to contain the Java technology clients, the SGD Native Clients and the classic webtop. The 4.40 release does not contain these clients.
As a result of this change, for this release of SGD, you cannot configure applications to display in a web browser window. The webtop and newbrowser options for the Window Type attribute (--displayusing) have been removed.
As a security measure to prevent denial-of-service attacks, the sequence of events when you log in to SGD has changed, as follows:
In SGD version 4.31, the SGD Client was started before the login screen was shown.
For SGD version 4.40, the SGD Client is not started until after the user successfully authenticates at the login screen.
Start up of the SGD Client is indicated by an icon in the desktop task bar. See the Sun Secure Global Desktop 4.4 Installation Guide for more details about logging in to SGD.
You can no longer deny a connection to SGD based on the client’s IP address.
In previous releases, the --tarantella-config-ssldaemon-certificates attribute was used to associate an X.509 certificate with an external DNS name for an SGD server.
This attribute is no longer supported. In this release, you can specify external DNS names as subject alternative names when you generate a CSR.
See Subject Alternative Names for Server Certificates for more details.
The following web services changes have been implemented for this release:
In the 4.31 release, the startSession and the authenticateSession methods were used to authenticate a user session.
For the 4.40 release, creating and authenticating a user session have been combined into a single method, authenticate.
The startSession and authenticateSession methods are not available for the 4.40 release.
Some overloaded methods were present in the 4.31 release. These methods were distinguished by the number and type of their parameters. All such overloaded methods have been renamed for the 4.40 release. Additionally, the mandatory parameters for the setSessionIdentity method have changed for the 4.40 release.
The following table lists the method name changes for this release.
Interface Name | Method Name in Version 4.31 | Method Name in Version 4.40 |
---|---|---|
ITarantellaDatastore | modify(String, String, String[]) | modifyReplace (String, String, String[]) |
ITarantellaEvent | adminSendClientSideMessage (String, String, String, String, String) | adminBroadcastClientSideMessage (String, String, String, String, String) |
ITarantellaExternalAuth | setSessionIdentity (String, String) | setSessionIdentity (String, String, String) |
ITarantellaPrint | printJobs(String) | printAllJobs(String) |
ITarantellaWebtopSession | authenticateSession(String, String, String) | authenticate(String, String, String, String) |
ITarantellaWebtopSession | authenticateSession(String, String, String, Item[], Item[]) | authenticateExt(String, String, String, String, Item[], Item[]) |
ITarantellaWebtopSession | setTCCConfiguration (String, String, String, String, String, Item[]) | setTCCConfigurationOverrides (String, String, String, String, String, Item[]) |
ITarantellaWebtopSession | startSession(*) | No equivalent |
The following table lists the new web service operations.
The SOAP message encoding format used for SGD web services has changed from RPC/Encoded to Document/Literal.
To list the SGD web services, go to http://server.example.com/axis/services, where server.example.com is the name of an SGD server. Click on the wsdl link to see the Web Services Description Language (WSDL) listing for an SGD web service.
The WSDL listings for the RPC/Encoded versions of the web services are still included on this page. Do not use the RPC/Encoded versions for developing your own applications. These versions of the web services will be deprecated in future releases.
A new setting for the tarantella cache command enables you to refresh the current Kerberos configuration settings for an SGD server.
The new option, krb5config, is used as follows:
$ tarantella cache --flush krb5config |
This setting enables you to update the Kerberos configuration for an SGD server without having to restart the server. This feature is used for Active Directory authentication only.
For users of the SGD Enhancement Module, a new command is available.
The tem status command provides status information for load balancing, UNIX platform audio, and client drive mapping services for the SGD array. The command lists the installed modules and indicates whether they are running or not.
The SGD Client can be started from the command line using the tcc command on Microsoft Windows client platforms, or the ttatcc command on UNIX, Linux, or Mac OS X client platforms.
In this release, by default, when you start the SGD Client from the command line or in Integrated mode, the SGD Client assumes that the client device does not have Java technology enabled. A new -use-java argument for the tcc and ttatcc commands configures the SGD Client to use Java technology.
In previous releases, by default, the SGD Client assumed Java technology was enabled. A -no-java argument for the tcc and ttatcc commands was available to override this behavior. This argument has now been deprecated.
The available arguments for the tcc and ttatcc commands are described in the Sun Secure Global Desktop 4.4 Administration Guide.
The SGD Client now logs information on client devices. Device access data and error messages are logged for printing, serial port, client drive mapping, audio and smart card devices.
The client device information is written to the SGD Client log file and is displayed on the Detailed Diagnostics page of the webtop.
Several attributes have been renamed to give shorter attribute names. This prevents errors when typing these attributes on the command line.The following table lists the attribute names that have been renamed.
Attribute Name in Version 4.31 | Attribute Name in Version 4.40 |
---|---|
--tarantella-config-login-thirdparty-searchens | --login-thirdparty-ens |
--tarantella-config-login-thirdparty-allownonens | --login-thirdparty-nonens |
--tarantella-config-ldap-thirdpartyldapcandidate-useens | --login-ldap-thirdparty-ens |
--tarantella-config-ldap-thirdpartyldapcandidate-useprofile | --login-ldap-thirdparty-profile |
--tarantella-config-xpeconfig-timezonemapfile | --xpe-tzmapfile |
The Windows NT Domain attribute has been renamed to Domain Name. This attribute specifies the domain to use for the application server authentication process.
The names of the SGD PDF printers have changed as shown in the following table.
Printer Name in Release 4.31 | Printer Name in Release 4.4 |
---|---|
Universal PDF | Universal PDF Printer |
Print to Local PDF File | Universal PDF Viewer |
For application objects configured with a Window Type setting of Independent Window, a warning dialog is now shown when the application window is closed. The dialog prompts you to confirm that you want to end the application session.
You can no longer configure SOCKS proxy servers using the SGD Client profile.
You can still configure SOCKS proxy servers using the array routing feature. Use the following command:
$ tarantella config edit \ --tarantella-config-array-netservice-proxy-routes \ "192.168.10.*:CTSOCKS:taurus.indigo‐insurance.com:8080" |
With this configuration, clients with IP addresses beginning 192.168.10 connect using the SOCKS proxy server taurus.indigo-insurance.com on TCP port 8080.
The Object Manager, Array Manager, Session Manager, and Configuration Wizard administration tools are no longer displayed on the Administrator’s webtop. These administration tools have been replaced by a browser-based administration tool called the Administration Console. See SGD Administration Console for more details.
The Configuration Wizard is still included in the SGD distribution, as an example web application. To display the Configuration Wizard, go to http://server.example.com/sgd/admin/configmgr/index.jsp, where server.example.com is the name of an SGD server.
Session Manager is still included in the SGD distribution, as an example web application. To display Session Manager, go to http://server.example.com/sgd/admin/sessmgr/index.jsp, where server.example.com is the name of an SGD server.
The login scripts in the /install-dir/var/serverresources/expect directory have been rationalized. Some scripts have been renamed and others have been merged.
If you are using SecurID for application server authentication, objects now use the securid.exp script, rather than the securid/unix.exp script. For backward compatibility, a symbolic link now exists from securid/unix.exp to the new securid.exp script.
An input method (IM) is a program or operating system component that enables users to enter characters and symbols not found on their keyboard. On Microsoft Windows platforms, an IM is called an input method editor (IME).
When running applications, SGD enables an IM if either the TTA_PreferredLocale, TTA_HostLocale, or the LANG (from the application environment overrides) environment variables are set to a locale that requires an IM. The locales that require an IM are controlled by the IM_localeList variable, which is defined in the vars.exp login script.
By default, an IM is enabled for all Japanese, Korean, and Chinese locales. To enable an IM in other locales, you must edit vars.exp and add the locale to the IM_localeList variable.
This section describes the changes since the Sun Secure Global Desktop Software 4.30 release.
In version 4.31, you can use SecurID authentication when SGD is installed on Solaris x86 platforms.
In version 4.30, it is possible to connect only to one SGD server when the SGD Client is in Integrated mode. In version 4.31, Integrated mode can be used with multiple SGD servers. In the desktop Start or Launch menu, a login link is available for each SGD server.
SGD has an array routes feature that enables you to configure server-side SOCKS proxy servers. You configure array routes with the following command:
$ tarantella config edit \ --tarantella-config-array-netservice-proxy-routes route... |
Array routes are enhanced so that you can now configure a direct connection type. Use CTDIRECT as the connection type to specify the clients that can connect without using a proxy server.
The following is an example array route configuration:
$ tarantella config edit \ --tarantella-config-array-netservice-proxy-routes \ "192.168.5.*:CTDIRECT:" \ "192.168.10.*:CTSOCKS:taurus.indigo‐insurance.com:8080" |
With this configuration, clients with IP addresses beginning 192.168.5 have a direct connection. Clients with IP addresses beginning 192.168.10 connect using the SOCKS proxy server taurus.indigo-insurance.com on TCP port 8080.
In version 4.31, the startup scripts that ensure SGD services stop and start when an SGD server is rebooted are renamed and restructured. The *Tarantella and *TarantellaWebserver scripts are replaced by a single script named *sun.com‐sgd‐base. The *tem script for the SGD Enhancement Module is now named *sun.com‐sgd‐em.
The Untrusted Initial Connection warning message that displays when users first connect to an SGD server is enhanced. Users can now view the server’s security certificate from this message.
In version 4.31, the Windows key is disabled in SGD Windows Terminal Services sessions by default. The Windows key is honored in local Windows sessions only. To display the Windows Start menu in an SGD Terminal Services Session, press Alt+Home.
The SGD Terminal Services Client (ttatsc) now supports an additional -windowskey on|off option that enables you to enable support for the Windows key. You can specify this option with the Arguments for Protocol (--protoargs) attribute on the Windows application object.
This section describes the changes since the Sun Secure Global Desktop Software 4.20 release.
Version 4.3 introduces a single package for installing SGD. When you install SGD, you install all the packages that previously had to be installed separately, including the font packages. The license keys installed in the array control the SGD components that can be used.
As the initial connection to SGD is now always secure, this means that the SGD SSL Daemon is always running even if SGD security services are not enabled.
In previous releases, a user preferences file was used to configure the SGD Client on UNIX platform, Linux, and Mac OS X client devices. With the introduction of profiles, this file is no longer used.
In previous releases, the Window Close Action (--windowclose) attribute was only available to X applications that were configured to display using client window management. The use of this attribute is extended to include X, Windows, and character applications that are configured to display using an independent window.
The change means that closing an independent window might end or suspend the application session. The default is to end the session.
SGD now supports Pluggable Authentication Modules (PAM) for UNIX platform user authentication. The change affects the following UNIX authentication mechanisms:
SGD uses PAM for user authentication, account operations and password operations.
When you install SGD on Linux platforms, Setup automatically creates PAM configuration entries for SGD by copying the current configuration for the passwd program and creating the /etc/pam.d/tarantella file. On Solaris OS platforms, you can add a new entry for SGD (tarantella) in the /etc/pam.conf file if required.
Using PAM gives SGD Administrators more flexibility and control over UNIX platform user authentication, for example by adding new login tests, account limits, or valid password checks.
As a result of the changes introduced in this release to support PDF printing on UNIX platform, Linux, and Mac OS X client devices, the Display Adobe Reader Print dialog (--pdfprompt) attribute is removed.
This change means that when users print with the Universal PDF Printer printer on Windows clients, the print job is automatically sent to the client’s default printer. To be able to choose the client printer where a print job is sent, users must now select the Universal PDF Viewer printer.
For Active Directory authentication, a Client Certificates checkbox is available in the Authentication Wizard. If Active Directory is configured to require a client certificate and you created and installed a client certificate for SGD, then you no longer need to configure the user name and password of a privileged user.
The password used for the SGD certificate store, /install‐dir/var/info/certs/sslkeystore, is no longer hard-coded to 123456. Instead, each store now has a random password, which is stored in /install‐dir/var/info/key. Use this password with the -storepass and -keypass options when using the keytool application.
Version 4.2 contained the following changes to licensing:
Activation license keys are no longer required to enable an array.
Maintenance and Right to upgrade license keys are no longer available.
If you upgrade from an earlier version, your existing product license keys are automatically converted and your existing Maintenance and Right to Upgrade license keys are deleted.
From version 4.1, SGD no longer supports the rlogin and rcmd connection methods for starting applications. If you upgrade from an earlier version, you must change the connection method for any applications that use these methods.
From version 4.1, SGD uses a different attribute for the Maximum Simultaneous User Sessions setting (--tuning-maxconnections). If you upgrade from an earlier version, the default setting for this attribute is applied.
From version 4.0, SGD uses a different emulator for mainframe (3270) applications. 3270 character and 3270 X application objects are no longer available and are replaced by a single 3270 application object. As the new 3270 application object has several new attributes, it is not possible to upgrade existing 3270 application objects. If you upgrade from an earlier version, your existing 3270 character and 3270 X applications are deleted when you upgrade. You must reconfigure these applications.
Copyright © 2008, Sun Microsystems, Inc. All rights reserved.