June 5, 2013 XenClient Enterprise 5.0 Engine VNC Remote Access.

June 5, 2013

XenClient Enterprise 5.0Engine VNC Remote Access

Copyright 2013 Citrix


Table of Contents

VNC Engine Remote Access Page 3

Engine Policy VNC Configuration Page 4

Engine Policy Override (Owned Computers) Page 5

Engine Policy Override (Unowned Computers) Page 6

Engine Update Check Required Page 7

Manual Engine Update Check Page 8

VNC Software Page 9

Connecting to Engine with VNC Viewer Page 10

Engine IP Address Page 11

VNC and Engine Login Page 12

VNC and Engine Reboot Page 13

VNC Timeout Page 14

VNC Connection Notification Page 15

VNC Connection Authorization Page 16

VNC Password Recovery Page 17

Switching Between Engine and VM Page 18



VNC Engine Remote Access

Overview

•Disabled by default, can only be enabled in the Synchronizer.

•Allows remote access to managed computers at the Engine level.

•Very useful for providing remote assistance to end users.

•Frequently used by Citrix technical support for remote troubleshooting.

Limitations

•Requires a direct network connection to the Engine.

•The Engine computer must have a monitor attached.

•VNC may be considered insufficiently secure in some environments.

Alternatives

•GoToMeeting/GoToAssist:• Great for remote access to VMs.• But can’t be used to access the Engine itself.

•Intel AMT:• Platform-level VNC access with better security.• Part of the Intel vPro feature set.



Engine Policy VNC Configuration

• VNC access is enabled by updating the Engine policy in Synchronizer.

• This will enable VNC access for all computers assigned to the policy.

• VNC access cannot be enabled to unregistered computers.

In the Policies section, select the Engine policy to be updated, then select the Support vertical tab.

Enable VNC remote access and enter a strong VNC password. Then save the policy changes.



Engine Policy Override (Owned Computers)

In the Users section, select the user registered to the computer. Then select the Policies tab.

VNC access can be enabled for a specific computer by overriding the Engine policy configuration. This method can also be used to set a different VNC password for a specific computer. For owned computers, the Engine policy is associated with the User, not the Computer.

Select the Support vertical tab.

Enable VNC access and set a strong password, then save the policy override settings.

This flag icon indicates the Support section of the Engine policy has been overridden.



Engine Policy Override (Unowned Computers)

Select the unowned computer in the Computers section, then select the Policies tab.

VNC access can be enabled for a specific computer by overriding the Engine policy configuration. This method can also be used to set a different VNC password for a specific computer. For unowned computers, the Engine policy is associated with the Computer, not with a User.

Select the Support vertical tab.

Enable VNC access and set a strong password, then save the policy override settings.

This flag icon indicates the Support section of the Engine policy has been overridden.



Engine Update Check Required

When Will VNC Access be Enabled?•Not until Engine checks for updates with Synchronizer to get the policy update.•If Engine can’t communicate with Synchronizer, then VNC access can’t be enabled.

Automatic Update Check•The computer will automatically check for updates with Synchronizer.•Update check interval defined in Engine policy (Activity Center section, see below).•Default update check interval is 10 minutes but should be higher for large deployments.•Recommended minimum value:

• N/20 where N is total number of registered computers.• But no less than 10 minutes.

•Excessive update checks can cause performance issues in the Synchronizer.

Manual Update Check•A manual update check can be initiated from the Engine (see next page).•If access to the Engine is not available, must wait for next automatic update check.



Manual Engine Update Check

There is also a shortcut to the Activity Center on the Engine launcher screen.

To check for updates manually on the Engine:•Hover to the right of the Control Panel icon.•A menu will appear. Choose “Check for Updates”.

Or from the Engine control panel:•Select the “Tools by Category” view.•Launch the Activity Center applet.•Click the “Check for Updates button.



VNC Software

VNC Viewer Software•VNC Viewer (client) software is needed for remote access to XCE computers.•Synchronizer does not include a VNC Viewer, one must be installed separately.

Compatible VNC Products•The following VNC products have been known to work:

• TightVNC (recommended): http://www.tightvnc.com• RealVNC: http://www.realvnc.com• UltraVNC: http://www.uvnc.com

•Free open-source versions are available for download.•Purchasing the software is recommended if it is found to be useful.

VNC Server Software•VNC products may also include a VNC Server component.•Installing the VNC Server is not recommended and not required for remote access to XCE computers.•It may be necessary to use a “custom installation” option to install the VNC Viewer without VNC Server (example shown for the TightVNC installer).



Connecting to Engine with VNC Viewer

Start the VNC Viewer and connect to the Engine by IP address.

A password challenge should appear. Enter the password set for VNC access in the Engine policy.

The VNC viewer should connect to the Engine and display the Engine desktop.



Engine IP Address

The Engine IP address is displayed in the Engine networking control panel.

The Engine IP address is also displayed in the Synchronizer console.

If the Engine connects to Synchronizer across a network router:•The IP address displayed in the Synchronizer console may be incorrect.•It may be the IP address of the router instead of the Engine.•The IP address displayed in the Engine will always be correct.



VNC and Engine Login

For Unencrypted Computers:•VNC access to Engine is possible while Engine is waiting for user login.•Once connected with VNC, a remote user may login to Engine through the VNC session.•VNC access does not bypass the need to login to the Engine.•But if VNC Connection Authorization is enabled, VNC can’t connect until a user logs into the Engine and accepts the VNC connection.

For Encrypted Computers:•VNC access cannot be used to unlock disk encryption.•Encryption can only be unlocked with a physical keyboard connected to the computer.•VNC access is not enabled until after encryption is unlocked and the Engine is fully booted.



VNC and Engine Reboot

If an Engine computer is rebooted (restarted) from a VNC connection:

Unencrypted Computers

•The VNC viewer will disconnect when the computer shuts down.

•Engine VNC access should automatically restart when the computer restarts.

•The VNC viewer should be able to connect back to the computer in a few minutes.

•But if VNC Connection Authorization is enabled, VNC can’t connect until a user logs into the Engine and accepts the VNC connection.

Encrypted Computers

•The VNC viewer session will terminate when the computer shuts down.

•When the computer restarts, it will stay at the encryption unlock screen until the encryption password is entered.

•VNC access does not restart until after encryption unlock and the Engine is fully booted.



VNC Timeout

• The Support section of the Engine policy includes a VNC timeout setting.

• Prevents VNC access from being enabled when it shouldn’t be.

• When Engine VNC access is enabled:

• Engine periodically checks with Synchronizer to see if VNC access should remain enabled.

• If Engine is unable to perform this check, a timer is started for VNC timeout.

• If Engine is still unable to check with Synchronizer after the VNC timeout expires, then Engine will disable VNC access.

• If the Synchronizer is offline for an extended period of time:

• Eventually all Engine computers will disable VNC access due to VNC timeout.

• This effect can be mitigated by setting the VNC timeout very high.

• Only recommended for computers on trusted networks.

This refers to communication between Engine and Synchronizer.



VNC Connection Notification

• On the Engine, a pop-up message is displayed for a VNC connection.

• This is simply a notification.

• Click on the message to dismiss it.

• The message should appear even if a VM is in the foreground.

• The notification can be disabled in the Engine policy Launcher section.

• By un-checking the Display Pop Up Messages checkbox.

• But this will disable all pop-up messages on the Engine.

Uncheck to disable VNC notification and all other Engine pop-up messages.



VNC Connection Authorization

Check to enable user authorization of VNC connections to Engine.

• VNC connection authorization can be enabled in the Support section of the Engine policy.

• By checking the Accept Support Connection check box.

• This allows the end-user to accept or reject the VNC connection.

• With VNC connection authorization enabled, a pop-up message is displayed when a remote user tries to connect to Engine.

• By default, this message is not displayed and the end-user cannot reject the VNC connection.

• This message is displayed and must be accepted before the VNC viewer will prompt the remote user for the VNC password.



VNC Password Recovery

• In the Engine policy, the VNC password is usually hidden.

• To view the VNC password in plain text, check the Show Password Value checkbox.

• The VNC password will be hidden again if the browser is restarted or refreshed.

• Only an Administrator with the proper Synchronizer role is able to view the VNC password.



Switching Between Engine and VM

• This should switch to the Engine launcher screen.

• A similar process can be used for other key combinations with Ctrl and Alt.

• On some VNC viewers (including TightVNC), the Ctrl and Alt buttons are sticky so make sure to unset them when done.

• With a VM in the foreground, Ctrl-Down is used to display the Engine launcher screen.

• Sometimes the Ctrl key isn’t passed through the VNC Viewer to the Engine. If this happens:

• Click the Ctrl button on the VNC viewer:• Then press the Down button on the keyboard.

• This is for TightVNC. Other VNC viewers may have different controls.

June 5, 2013 XenClient Enterprise 5.0 Engine VNC Remote Access.

Documents

Transcript of June 5, 2013 XenClient Enterprise 5.0 Engine VNC Remote Access.