Skip to content

Manual Installation

Last updated on Aug 27 2024.

Introduction

The purpose of this document is to describe how the different server roles of OVD Enterprise can be installed on all the supported operating systems. The OVD server roles can be installed on separate servers. This is recommended with an OVD farm in production

Prerequisites

Please make sure that all servers meet minimal system and hardware criteria for their corresponding OVD roles as listed in requirements.

Each server you plan to install will require internet access.

Important

In this document, we are using sm.test.demo for the OSM resource name, oac.test.demo for the OAC, aps.test.demo for the OAS and web.test.demo for the OVD Web Access.

You need to use the resource name that is configured for your own environment. The resource name can be an IP address, an FQDN or a hostname. It cannot be a URI context, a protocol or a port.

Version Code

Throughout this document, download links will use a version code specific to the version of OVD you are using.

You will find the version code on the Inuvika OVD supported versions page. You may also contact Inuvika to request the code.

Ubuntu LTS

Elevate your shell to the superuser if you are not already root:

$
sudo -s

Repository

You need to add the Inuvika Ubuntu repository to each server you plan to install.

Important

To run these commands, replace any instance of {VERSION_CODE} with the version code as described in the Version code section.

  • Update the package database:

    #
    apt update

  • Upgrade all currently installed packages:

    #
    apt upgrade

  • Install the apt-transport-https package:

    #
    apt install apt-transport-https gnupg

  • Create a file /etc/apt/sources.list.d/ovd.list and add the following line:

    • For Ubuntu 22.04 LTS (Jammy Jellyfish):
      deb https://archive.inuvika.com/ovd/{VERSION_CODE}/ubuntu jammy main
  • Install the keyring package to validate the repository using gpg:

    • For Ubuntu 22.04 LTS (Jammy Jellyfish):
      wget "https://archive.inuvika.com/ovd/{VERSION_CODE}/keyring" -O /etc/apt/trusted.gpg.d/ovd.asc
  • Update the package database:

    #
    apt update

RHEL

Repository

You need to add the Inuvika RHEL repository to each server you plan to install.

Important

To run these commands, replace any instance of {VERSION_CODE} with the version code as described in the Version code section.

  • Edit the /etc/yum.repos.d/ovd.repo file to add the following content:

    [Inuvika-ovd]
    name=Inuvika OVD
    baseurl=https://archive.inuvika.com/ovd/{VERSION_CODE}/rhel/8/
    enabled=1
    gpgcheck=1
    gpgkey=https://archive.inuvika.com/ovd/{VERSION_CODE}/keyring
  • Install the EPEL repository:

    #
    subscription-manager repos --enable=codeready-builder-for-rhel-8-x86_64-rpms
    #
    yum install https://download.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm

    Info

    The EPEL repository is a separate repository which provides many additional software packages not provided by the default RHEL repositories.

  • Update the package database:

    #
    yum makecache

OVD Session Manager (OSM)

Firewall Configuration

The OSM requires specific ports to be open in your firewall. Follow the instructions below to configure default firewalls.

  • If using UFW (default firewall for Ubuntu):

    • Open port 443/TCP for inbound traffic:

      #
      ufw allow in 443/tcp

    • Open port 1111/TCP for inbound traffic:

      #
      ufw allow in 1111/tcp

  • If using firewalld (default firewall for RHEL):

    Warning

    The following rules will open ports to communication in both directions. Administrators should review and verify all necessary firewall rules in case you need a more restrictive implementation.

    • Open port 443/TCP:

      #
      firewall-cmd --permanent --add-port=443/tcp

    • Open port 1111/TCP:

      #
      firewall-cmd --permanent --add-port=1111/tcp

    • Activate updated firewall rules:

      #
      firewall-cmd --reload

Note

For more detailed firewall configuration, please refer to the Firewall and Ports.

Installing on Ubuntu LTS

Installing MySQL

The OSM needs access to a MySQL database. We advise you to setup the MySQL server on the same machine as the OSM to minimize network access time.

  • Install the mysql-server package

    #
    apt install mysql-server

  • Define the MySQL root password

    #
    mysqladmin -u root password

  • Open a MySQL shell

    #
    mysql -u root -p

    Apply the following instructions within this shell

    1. Create a database

      mysql>
      CREATE DATABASE ovd;

    2. Create a user, replacing a placeholder [ovd_password] with a secure password for this user

      mysql>
      CREATE USER "ovd"@"localhost" IDENTIFIED BY "[ovd_password]";

    3. Allow the user to operate on the database

      mysql>
      GRANT ALL PRIVILEGES ON ovd.* TO 'ovd'@'localhost';

    4. Reload MySQL configuration and exit the session

      mysql>
      FLUSH PRIVILEGES; exit;

Package Installation

  • Keep the default Kerberos configuration:

    #
    debconf-set-selections <<< "krb5-config krb5-config/default_realm string"

  • Install the following OVD package:

    #
    apt install inuvika-ovd-session-manager

  • The installer will prompt for an admin login and a password, and for confirmation of the password.

The OSM is now installed but not yet ready as the configuration requires the use of the OVD Administration Console. Please follow the next section to install the Administration Console and finish the configuration of the OSM.

Installing on RHEL

SELinux Configuration

Important

This configuration only applies to SELinux enabled systems. For more information please refer to section Security-Enhanced Linux

  • Install the policycoreutils-python package:

    #
    yum install python3-policycoreutils

  • Allow Apache to listen on port 1111:

    #
    semanage port -at http_port_t -p tcp 1111

  • Allow Apache to listen on port 1112:

    #
    semanage port -at http_port_t -p tcp 1112

  • Allow http daemon to send mail:

    #
    setsebool -P httpd_can_sendmail=1

  • Add required capabilities for php-fpm:

    #
    setsebool -P httpd_execmem=1

  • Allow password change:

    #
    setsebool -P nis_enabled=1

  • Allow Apache to connect to AD/LDAP server:

    #
    setsebool -P httpd_can_connect_ldap=1

  • Change the context for files in /var/spool/ovd/:

    #
    semanage fcontext -at httpd_sys_rw_content_t "/var/spool/ovd(/.*)?"

  • Change the context for files in /var/log/ovd/session-manager/:

    #
    semanage fcontext -at collectd_rw_content_t "/var/log/ovd/session-manager(/.*)?"

  • Change the context of files in /usr/lib/fontconfig/cache/:

    #
    semanage fcontext -at fonts_cache_t "/usr/lib/fontconfig/cache(/.*)?"

  • Change the context of files in /etc/ovd/session-manager/:

    #
    semanage fcontext -at httpd_sys_rw_content_t "/etc/ovd/session-manager(/.*)?"

  • Change the context of the file /etc/ovd/session-manager/sessionmanager.cron:

    #
    semanage fcontext -at system_cron_spool_t "/etc/ovd/session-manager/sessionmanager.cron"

  • Create and deploy additional policy rules:

    1. Create and open the file /tmp/ovd_sm.te:

      #
      nano /tmp/ovd_sm.te

    2. Insert the following content and close the file:

      module ovd_sm 1.0;
      
      require {
              type useradd_t, httpd_sys_rw_content_t;
              type httpd_t, fonts_cache_t;
              type var_run_t;
              type collectd_rw_content_t;
              type logrotate_t;
              class file getattr;
              class file write;
              class dir setattr;
              class sock_file write;
      
      }
      allow useradd_t httpd_sys_rw_content_t: file write;
      allow httpd_t fonts_cache_t: dir setattr;
      allow httpd_t var_run_t:sock_file write;
      
      allow logrotate_t collectd_rw_content_t:file getattr;

    3. Create a type file for the SELinux policy:

      #
      checkmodule -M -m -o /tmp/ovd_sm.mod /tmp/ovd_sm.te

    4. Package the policy:

      #
      semodule_package -o /tmp/ovd_sm.pp -m /tmp/ovd_sm.mod

    5. Install the policy:

      #
      semodule -i /tmp/ovd_sm.pp

    6. Remove temporary files:

      #
      rm -f /tmp/ovd_sm*

Installing MySQL

The OSM needs access to a MySQL database. On RHEL, the mysql database package is provided by mariadb. We advise you to setup the MySQL server on the same machine as the OSM to minimize network access time.

  • Install the mysql package:

    #
    yum install mariadb mariadb-server

  • Enable and start the service

    #
    systemctl enable --now mariadb

  • Define the mysql root password

    #
    mysqladmin -u root password

  • Open a MySQL shell:

    #
    mysql -u root -p

    Apply the following instructions within this shell:

    1. Create a database

      mysql>
      CREATE DATABASE ovd;

    2. Create a user

      mysql>
      CREATE USER "ovd"@"localhost" IDENTIFIED BY "[ovd_password]";

      Warning

      Replace [ovd_password] with a secure password for this user

    3. Allow the user to operate on the database

      mysql>
      GRANT ALL PRIVILEGES ON ovd.* TO 'ovd'@'localhost';

    4. Reload MySQL configuration and exit the session

      mysql>
      FLUSH PRIVILEGES; exit;

Package Installation

  • Install the following OVD package:

    #
    yum install inuvika-ovd-session-manager

  • Launch the configuration tool and set admin login and password

    #
    ovd-session-manager-config

  • Enable and restart Apache service

    #
    systemctl enable httpd
    #
    systemctl restart httpd

The OSM is now installed but not ready as the configuration requires the use of the OVD Administration Console.

OVD Administration Console (OAC)

Firewall Configuration

The OAC requires specific ports to be open in your firewall. Follow the instructions below to configure default firewalls.

  • If using UFW (default firewall for Ubuntu):

    • Open port 443/TCP for inbound traffic:

      #
      ufw allow in 443/tcp

      Note

      TCP 443 (HTTPS) will only be available if you chose to enable HTTPS access during Administration Console installation.

    • Open port 80/TCP for inbound traffic:

      #
      ufw allow in 80/tcp

  • If using firewalld (default firewall for RHEL):

    Warning

    The following rules will open ports to communication in both directions. Administrators should review and verify all necessary firewall rules in case you need a more restrictive implementation.

    • Open port 443/TCP:

      #
      firewall-cmd --permanent --add-port=443/tcp

    • Open port 80/TCP:

      #
      firewall-cmd --permanent --add-port=80/tcp

    • Activate updated firewall rules:

      #
      firewall-cmd --reload

Note

For more detailed firewall configuration, please refer to the Firewall and Ports.

Installing on Ubuntu LTS

  • Install the following OVD package:

    #
    apt install inuvika-ovd-administration-console

  • The installer will require the resource name of the OVD Session Manager (e.g. sm.test.demo)

  • The installer will prompt whether to enable HTTPS access to the Administration Console if it detects that HTTPS access is not already enabled on the system. If HTTPS access is enabled, after completing the installation, both HTTP and HTTPS access to the Administration Console will be available.

Installing on RHEL

SELinux Configuration

Important

This configuration only applies to SELinux enabled systems. For more information please refer to section Security-Enhanced Linux

  • Install the policycoreutils-python package:

    #
    yum install python3-policycoreutils

  • Change the context for files in /var/spool/ovd/:

    #
    semanage fcontext -at httpd_sys_rw_content_t "/var/spool/ovd(/.*)?"

  • Add required capabilities for php-fpm:

    #
    setsebool -P httpd_execmem=1

  • Allow Apache to connect to the network:

    #
    setsebool -P httpd_can_network_connect=1

Package Installation

  • Install the following OVD packages:

    #
    yum install inuvika-ovd-administration-console

  • Launch the Administration Console configuration tool

    #
    ovd-administration-console-config

  • Specify the resource name of the OVD Session Manager (e.g. sm.test.demo)

    Session Manager address [127.0.0.1]:

  • Select whether to enable HTTPS access to the Administration Console. This message is displayed only if HTTPS access is not already enabled on the system. If HTTPS access is enabled, after completing the configuration, both HTTP and HTTPS access to the Administration Console will be available.

    Enable HTTPS support [yes] (yes or no):

  • Enable and restart Apache service

    #
    systemctl enable httpd
    #
    systemctl restart httpd

Configuration

The first step is to go to http://oac.test.demo/ovd/admin and authenticate yourself with the admin login and password you provided during installation.

The first time you log in, the system detects that it is not configured so you are redirected to a basic setup page which will save a default configuration.

On this page, you setup the MySQL configuration. For example, if you installed MySQL on the same host as described above, you would use the following configuration:

  • Database Type: MySQL
  • Database host address: localhost
  • Database username: ovd
  • Database password: [ovd_password] (replace with the actual password you set)
  • Database name: ovd
  • Table prefix: ovd_

After a successful configuration, Terms and Conditions - Inuvika End-User License Agreement appears. Please read carefully before accepting.

OVD Application Server (OAS)

Firewall Configuration

Microsoft Windows

The OAS requires specific ports to be open in your firewall. Follow the instructions below to open ports on the Windows Firewall using netsh via Command Prompt (run as administrator).

For any other type of firewall, please refer to its official documentation to open the ports described below.

  • Open port 1112/TCP for inbound traffic:

    >
    netsh advfirewall firewall add rule name="OAS http" dir=in action=allow protocol=TCP localport=1112

  • Open port 3389/TCP for inbound traffic:

    >
    netsh advfirewall firewall add rule name="OAS rdp" dir=in action=allow protocol=TCP localport=3389

Note

For more detailed firewall configuration, please refer to the Firewall and Ports.

Linux

The OAS requires specific ports to be open in your firewall. Follow the instructions below to configure default firewalls.

  • If using UFW (default firewall for Ubuntu):

    • Open port 1112/TCP for inbound traffic:

      #
      ufw allow in 1112/tcp

    • Open port 3389/TCP for inbound traffic:

      #
      ufw allow in 3389/tcp

  • If using firewalld (default firewall for RHEL):

    Warning

    The following rules will open ports to communication in both directions. Administrators should review and verify all necessary firewall rules in case you need a more restrictive implementation.

    • Open port 1112/TCP:

      #
      firewall-cmd --permanent --add-port=1112/tcp

    • Open port 3389/TCP:

      #
      firewall-cmd --permanent --add-port=3389/tcp

    • Activate updated firewall rules:

      #
      firewall-cmd --reload

Note

For more detailed firewall configuration, please refer to the Firewall and Ports section.

Installing on Microsoft Windows

Before installing the OAS, the Inuvika OVD Session Manager (OSM) must be installed and running. Furthermore if the RDSH role has just been installed, the server must be rebooted before installing the OAS.

Inuvika provides two Windows installers for the OAS:

  • An .exe setup (recommended)
  • An .msi package

Installation using the .exe setup is recommended because it ships all dependencies whereas the .msi package is provided for automation purposes (auto-deployement) and requires the installation of external dependencies.

Dependencies for the MSI package

Before installing the MSI package, you will need to install the following dependencies:

  • Microsoft Visual C++ Redistributable for Visual Studio 2017 - x86
  • Microsoft Visual C++ Redistributable for Visual Studio 2017 - x64

Visit the Microsoft website for the latest versions.

In addition, you may want to visit the following Chocolatey references as Inuvika has validated them for automation: vcredist2017 & vcredist2008.

Download the OAS installer from this location: https://archive.inuvika.com/ovd/{VERSION_CODE}

Important

Replace {VERSION_CODE} with the version code as described in the Version code section.

Copy the OAS installer to the Windows Server machine you wish to install it on and run it.

The only installation data required is resource name of the OVD Session Manager. We use sm.test.demo here as an example, but of course, you have to specify your own domain name.

When the installation is complete, the Windows OVD service should be configured and running. To check the status, go to the Windows Services and search for Inuvika OVD Agent.

Installing on Ubuntu LTS

  • Keep the default davfs2 configuration:

    #
    debconf-set-selections <<< "davfs2 davfs2/suid_file boolean false"

  • Install the OAS packages:

    #
    apt install inuvika-ovd-slaveserver-role-aps inuvika-ovd-desktop

  • The only information required is the resource name where the OSM can be accessed. We use sm.test.demo in this example, but of course, you have to use your own resource name.

    Important

    If you choose to install OAS on the same machine as OSM, enter 127.0.0.1 for the resource name.

Installing on RHEL

SELinux Configuration

Important

This configuration only applies to SELinux enabled systems. For more information please refer to section Security-Enhanced Linux

  • Install policycoreutils-python package

    #
    yum install python3-policycoreutils

  • Change context for files in /var/spool/xrdp_printer/

    #
    semanage fcontext -at print_spool_t "/var/spool/xrdp_printer(/.*)"

  • Create and deploy additional policy rules

    1. Create and open a file /tmp/ovd_aps.te

      #
      nano /tmp/ovd_aps.te

    2. Insert following content and close the file

      module ovd_aps 1.0;
      
      require {
              type smbd_t, cupsd_var_run_t;
              type logwatch_mail_t, logwatch_cache_t;
              type pulseaudio_t, httpd_sys_rw_content_t, system_dbusd_t;
              type initrc_var_run_t, fusefs_t, initrc_state_t;
              class file { append create getattr lock open read write };
              class dir { add_name create read setattr write };
              class sock_file read;
      }
      
      allow smbd_t cupsd_var_run_t:sock_file read;
      allow logwatch_mail_t logwatch_cache_t:dir { add_name write };
      allow logwatch_mail_t logwatch_cache_t:file { append create getattr open };
      allow system_dbusd_t httpd_sys_rw_content_t: file { append };
      allow pulseaudio_t httpd_sys_rw_content_t: file { read write };
      allow pulseaudio_t fusefs_t:dir { add_name create read write };
      allow pulseaudio_t initrc_var_run_t:file { read write };
      allow pulseaudio_t fusefs_t:file { create getattr lock open read write };
      allow pulseaudio_t initrc_state_t:file { getattr read write };

    3. Create a type file for SELinux policy

      #
      checkmodule -M -m -o /tmp/ovd_aps.mod /tmp/ovd_aps.te

    4. Package policy

      #
      semodule_package -o /tmp/ovd_aps.pp -m /tmp/ovd_aps.mod

    5. Install policy

      #
      semodule -i /tmp/ovd_aps.pp

    6. Remove temporary files

      #
      rm -f /tmp/ovd_aps*

Package Installation

  • Install the cups package:

    #
    yum install cups

  • Configure the cups service:

    #
    systemctl enable cups

  • Install the OAS packages:

    #
    yum install inuvika-ovd-slaveserver-role-aps inuvika-ovd-desktop

  • Enable the XRDP services

    #
    systemctl enable xrdp-log.service xrdp-sesman.service xrdp-printer.service xrdp.service

  • Register host/IP address of the OVD Session Manager:

    #
    ovd-slaveserver-config --sm-address sm.test.demo

    Important

    If you choose to install OAS on the same machine as OSM, enter 127.0.0.1 for the resource name.

  • Enable the ovd-slaveserver service

    #
    systemctl enable ovd-slaveserver

  • Reboot the server

    #
    reboot

OVD File Server (OFS)

Firewall Configuration

The OFS requires specific ports to be open in your firewall. Follow the instructions below to configure default firewalls.

  • If using UFW (default firewall for Ubuntu):

    • Open port 1112/TCP for inbound traffic:

      #
      ufw allow in 1112/tcp

    • Open port 1113/TCP for inbound traffic:

      #
      ufw allow in 1113/tcp

    • Open port 445/TCP for inbound traffic:

      #
      ufw allow in 445/tcp

  • If using firewalld (default firewall for RHEL):

    Warning

    The following rules will open ports to communication in both directions. Administrators should review and verify all necessary firewall rules in case you need a more restrictive implementation.

    • Open port 1112/TCP:

      #
      firewall-cmd --permanent --add-port=1112/tcp

    • Open port 1113/TCP:

      #
      firewall-cmd --permanent --add-port=1113/tcp

    • Open port 445/TCP

      #
      firewall-cmd --permanent --add-port=445/tcp

    • Activate updated firewall rules:

      #
      firewall-cmd --reload

Note

For more detailed firewall configuration, please refer to the Firewall and Ports.

Installing on Ubuntu LTS

  • Install the OFS package:

    #
    apt install inuvika-ovd-slaveserver-role-fs

  • The only information required is the resource name where the OSM can be accessed. We use sm.test.demo here for the example, but of course, you have to set your own domain name.

Important

If you choose to install OFS on the same machine as OSM, enter 127.0.0.1 for the resource name.

Installing on RHEL

SELinux Configuration

Important

This configuration only applies to SELinux enabled systems. For more information please refer to section Security-Enhanced Linux

  • Install the policycoreutils-python package:

    #
    yum install python3-policycoreutils

  • Allow Apache to access ntfs/fusefs volumes:

    #
    setsebool -P httpd_use_fusefs=1

  • Allow Samba to export ntfs/fusefs volumes:

    #
    setsebool -P samba_share_fusefs=1

  • Allow Apache to listen on port 1113:

    #
    semanage port -at http_port_t -p tcp 1113

  • Change the context for files in var/lib/ovd/slaveserver/fileserver-data/:

    #
    semanage fcontext -at httpd_user_rw_content_t "/var/lib/ovd/slaveserver/fileserver-data(/.*)?"

  • Create and deploy additional policy rules:

    1. Create and open the file /tmp/ovd_fs.te:

      #
      nano /tmp/ovd_fs.te

    2. Insert the following content and close the file:

      module ovd_fs 1.1;
      
      require {
              type init_t;
              type logwatch_mail_t;
              type logwatch_cache_t;
              type samba_unconfined_net_t;
              type winbind_rpcd_t, fusefs_t;
              class capability { dac_override dac_read_search };
              class dbus send_msg;
              class dir { add_name ioctl read write };
              class file { append create getattr open read write };
      }
      
      allow logwatch_mail_t logwatch_cache_t:dir { add_name write };
      allow logwatch_mail_t logwatch_cache_t:file { append create getattr open };
      allow winbind_rpcd_t fusefs_t:file { read write };
      allow winbind_rpcd_t fusefs_t:dir { ioctl read };
      allow winbind_rpcd_t self:capability { dac_override dac_read_search };
      allow init_t samba_unconfined_net_t:dbus send_msg;

    3. Create a type file for the SELinux policy:

      #
      checkmodule -M -m -o /tmp/ovd_fs.mod /tmp/ovd_fs.te

    4. Package the policy:

      #
      semodule_package -o /tmp/ovd_fs.pp -m /tmp/ovd_fs.mod

    5. Install the policy:

      #
      semodule -i /tmp/ovd_fs.pp

    6. Remove temporary files:

      #
      rm -f /tmp/ovd_fs*

Package Installation

  • Install the samba package:

    #
    yum install samba

  • Enable samba service

    #
    systemctl enable smb

  • Install the OFS package:

    #
    yum install inuvika-ovd-slaveserver-role-fs

  • Register host/IP address of the OVD Session Manager:

    #
    ovd-slaveserver-config --sm-address sm.test.demo

    Important

    If you choose to install OFS on the same machine as OSM, enter 127.0.0.1 for the resource name.

  • Enable the ovd-slaveserver service:

    #
    systemctl enable ovd-slaveserver

  • Reboot the server:

    #
    reboot

OVD Web Access (OWA)

In this example, we are using web.test.demo as the OWA resource name.

Firewall Configuration

The OWA requires specific ports to be open in your firewall. Follow the instructions below to configure default firewalls.

  • If using UFW (default firewall for Ubuntu):

    • Open port 80/TCP for inbound traffic:

      #
      ufw allow in 80/tcp

    • Open port 443/TCP for inbound traffic:

      #
      ufw allow in 443/tcp

      Note

      TCP 443 (HTTPS) will only be available if you chose to enable HTTPS access during OVD Web Access installation.

    • Open port 1112/TCP for inbound traffic:

      #
      ufw allow in 1112/tcp

  • If using firewalld (default firewall for RHEL):

    Warning

    The following rules will open ports to communication in both directions. Administrators should review and verify all necessary firewall rules in case you need a more restrictive implementation.

    • Open port 80/TCP:

      #
      firewall-cmd --permanent --add-port=80/tcp

    • Open port 443/TCP:

      #
      firewall-cmd --permanent --add-port=443/tcp

    • Open port 1112/TCP:

      #
      firewall-cmd --permanent --add-port=1112/tcp

    • Activate updated firewall rules:

      #
      firewall-cmd --reload

Note

For more detailed firewall configuration, please refer to the Firewall and Ports.

Installing on Ubuntu LTS

  • Install the OWA package:

    #
    apt install inuvika-ovd-slaveserver-role-webaccess

  • The installer will require the resource name of the OVD Session Manager (e.g. sm.test.demo)

To access the OWA, navigate to http://web.test.demo/ovd/ using a web browser.

Installing on RHEL

SELinux Configuration

Important

This configuration only applies to SELinux enabled systems. For more information please refer to section Security-Enhanced Linux

  • Install the policycoreutils-python package:

    #
    yum install python3-policycoreutils

  • Add required capabilities for php-fpm:

    #
    setsebool -P httpd_execmem=1

  • Allow Apache to connect to the network:

    #
    setsebool -P httpd_can_network_connect=1

SELinux Configuration 3.3

  • Change the context for files in /var/spool/ovd/:

    #
    semanage fcontext -at httpd_sys_rw_content_t "/var/spool/ovd(/.*)?"
  • Create and deploy additional policy rules:

    1. Create and open the file /tmp/ovd_webaccess.te:

      #
      nano /tmp/ovd_webaccess.te

    2. Insert the following content and close the file:

      module ovd_webaccess 1.0;
      
      require {
              type tomcat_t;
              type var_spool_t;
              type httpd_sys_rw_content_t;
              class dir { add_name getattr remove_name search write };
              class file { create getattr open read unlink write };
      }
      
      #============= tomcat_t ==============
      
      allow tomcat_t var_spool_t:dir { add_name getattr remove_name search write };
      allow tomcat_t var_spool_t:file { create getattr open read write unlink };
      
      allow tomcat_t httpd_sys_rw_content_t:dir { add_name getattr remove_name search write };
      allow tomcat_t httpd_sys_rw_content_t:file { create getattr open read write unlink };
      1. Create a type file for the SELinux policy:
      #
      checkmodule -M -m -o /tmp/ovd_webaccess.mod /tmp/ovd_webaccess.te

    3. Package the policy:

      #
      semodule_package -o /tmp/ovd_webaccess.pp -m /tmp/ovd_webaccess.mod

    4. Install the policy:

      #
      semodule -i /tmp/ovd_webaccess.pp

    5. Remove temporary files:

      #
      rm -f /tmp/ovd_webaccess*

Package Installation

  • Install the OWA package:

    #
    yum install inuvika-ovd-slaveserver-role-webaccess

  • Register host/IP address of the OVD Session Manager:

    #
    ovd-slaveserver-config --sm-address sm.test.demo

    Important

    If you choose to install OFS on the same machine as OSM, enter 127.0.0.1 for the resource name.

  • Configure the ovd-slaveserver service:

    #
    systemctl enable ovd-slaveserver

  • Start the ovd-slaveserver service:

    #
    systemctl restart ovd-slaveserver

Package configuration

  • Enable and start the Guacamole Bridge service

    #
    systemctl enable --now guacamole-bridge

  • Enable guacamole service

    #
    systemctl enable --now guacamole

  • Enable and restart Apache service

    #
    systemctl enable httpd
    #
    systemctl restart httpd

OVD Enterprise Secure Gateway

Firewall Configuration

The ESG requires specific ports to be open in your firewall. Follow the instructions below to configure default firewalls.

  • If using UFW (default firewall for Ubuntu):

    • Open port 1112/TCP for inbound traffic:

      #
      ufw allow in 1112/tcp

    • Open port 443/TCP for inbound traffic:

      #
      ufw allow in 443/tcp

  • If using firewalld (default firewall for RHEL):

    Warning

    The following rules will open ports to communication in both directions. Administrators should review and verify all necessary firewall rules in case you need a more restrictive implementation.

    • Open port 1112/TCP:

      #
      firewall-cmd --permanent --add-port=1112/tcp

    • Open port 443/TCP:

      #
      firewall-cmd --permanent --add-port=443/tcp

    • Activate updated firewall rules:

      #
      firewall-cmd --reload

Note

For more detailed firewall configuration, please refer to the Firewall and Ports.

Installing on Ubuntu LTS

  • Install the ESG package using the following command. Enter the host/IP address of the OVD Session Manager (OSM) when prompted:
    #
    apt install inuvika-ovd-slaveserver-role-gateway

The installation of the ESG is now complete. The installation process automatically starts the ovd-slaveserver service and the ESG server will appear in the Unregistered Servers page in the Administration Console. If the server is not listed but the installation was successful, then there may be a firewall issue.

Installing on RHEL

SELinux Configuration

Security-Enhanced Linux (SELinux) is a Linux kernel security module that enhances the security of your system. In RHEL distributions, SELinux is enabled by default and runs in enforcing mode.

To verify the status of SELinux on any node, run the following command:

#
sestatus

The expected (and default) SELinux status is enabled, with current mode set to enforcing. If current mode is set to permissive, SELinux is running, but mandatory access control is not enforced. In that case, you might want to set the mode to enforcing:

  • Edit the /etc/selinux/config file and set the SELINUX variable to enforcing:
    SELINUX=enforcing

Important

If SELinux is disabled and you want to enable it, follow the official Red Hat documentation: Changing SELinux States and Modes.

If you prefer to keep SELinux disabled, you can skip the rest of this section.

  • Install packages that allow modification of SELinux policies and rules:

    #
    yum install python3-policycoreutils

  • Create and deploy additional policy rules

    1. Create and open a file /tmp/ovd_esg.te

      #
      nano /tmp/ovd_esg.te

    2. Insert the following content and close the file:

      module ovd_esg 1.0;
      
      require {
              type logwatch_mail_t;
              type logwatch_cache_t;
              class dir { add_name write };
              class file { append create getattr open };
      }
      
      allow logwatch_mail_t logwatch_cache_t:dir { add_name write };
      allow logwatch_mail_t logwatch_cache_t:file { append create getattr open };

    3. Create a type file for the SELinux policy:

      #
      checkmodule -M -m -o /tmp/ovd_esg.mod /tmp/ovd_esg.te

    4. Package the policy:

      #
      semodule_package -o /tmp/ovd_esg.pp -m /tmp/ovd_esg.mod

    5. Install the policy:

      #
      semodule -i /tmp/ovd_esg.pp

    6. Remove temporary files:

      #
      rm -f /tmp/ovd_esg*

Installation

  • Install the ESG package using the following command:

    #
    yum install inuvika-ovd-slaveserver-role-gateway

  • Register host/IP address of the OVD Session Manager:

    #
    ovd-slaveserver-config --sm-address sm.test.demo

  • Configure the ovd-slaveserver service:

    #
    systemctl enable ovd-slaveserver

  • Start the ovd-slaveserver service:

    #
    systemctl restart ovd-slaveserver

The installation of the ESG is now complete. The ovd-slaveserver service has been started and the ESG server will appear in the Unregistered Servers page in the Administration Console. If the server is not listed but the installation was successful, then there may be a firewall issue.

TLS/SSL Server Certificate

The ESG requires the use of an X.509 certificate for secure communication.

A self-signed certificate is generated during the installation, but this is only designed for evaluation purposes. Self-signed certificates are not for production use.

Without a signed certificate installed, all users will receive a security warning in their browsers preventing them from accessing the service.

Warning

Before switching your OVD service to production or even deploying to a significant number of users, you must replace the self-signed certificate with a signed certificate obtained from a Certificate issuer.

Identify the service access point

The certificate issuer will ask for a Common Name (CN). This information is critical as failure to provide the correct name will result in an unusable certificate.

For an OVD environment the CN of the certificate is the ESG service access point, also called the fully qualified domain name (FQDN). For example, if your ESG service is available at ovd.example.com and you expect all your users to use this name to access OVD, this is the FQDN you must provide as the certificate CN.

Warning

In digital certificates a CN can not be an IP - it must be a name (as DNS).

Alternative access points, such as DNS entries and / or IP addresses, can be configured using the Subject Alternative Name (SAN) extension.

For multiple service access points or more complex configurations, please contact your certificate issuer and/or contact Inuvika.

Install the issued certificate

Once your certificate issuer has received your information, you will be given the certificate attached to a private key file, as well as a number of Intermediary CA certificates used by your provider. Please download all these X.509 certificates in PEM representation.

Once you have downloaded all the X.509 files, they must be concatenated in a single PEM file in a specific order. Use a text editor to create a file named ovd-esg-issued.pem and copy the content of each file into it in this exact order:

  • Private key
  • Server certificate
  • Intermediary CA certificate +1
  • Intermediary CA certificate +x

Once this is done you may install the certificate on the ESG:

  • Copy the ovd-esg-issued.pem file to the ESG host

  • Create a copy of the self-signed PEM file as a backup:

    #
    cp /etc/ovd/slaveserver/gateway.pem /etc/ovd/slaveserver/gateway.pem.orig

  • Copy the file containing the new certificate to the file

    #
    cp ovd-esg-issued.pem /etc/ovd/slaveserver/gateway.pem

  • Reload/restart the ESG service to activate the new SSL certificate

    #
    systemctl reload ovd-slaveserver

Use a web browser to go to your ESG service access point using HTTPS (in our example: https://ovd.example.com/) and verify that the communication is secure and the given certificate is the one you received from your issuer.

OVD Web Access Configuration

For security reasons, the ESG isn't configured to allow communication to the OVD Web Access (OWA) by default. The configuration can be changed to allow access. This will allow you to then provide a single secure (SSL) connection point for all clients (EDC, EMC, OWA).

Note

The OWA itself may be configured to provide secure access to users outside the LAN. This requires the use of a third party network component, such as a Reverse Proxy and/or a Firewall (NAT redirection).

In such cases, the ESG is not mandatory to provide a WAN access, but this is only for the OWA! An ESG is required for WAN access from EDC / EMC.

To enable the OWA access in the ESG:

  • Edit the configuration file /etc/ovd/slaveserver/slaveserver.conf and locate the line:

    # web_client = http[s]://ip[:port]/

  • Uncomment the variable and set the value to the URL of your OWA. For example:

    web_client = http://webaccess.test.demo/

  • Save the file and restart the slaveserver service.

    #
    systemctl restart ovd-slaveserver

Advanced Configuration Settings

The ESG configuration is stored in the file /etc/ovd/slaveserver/slaveserver.conf. The configuration may be adjusted by editing the file and changing the contents of the Gateway section as described below:

  • address: 0.0.0.0 (default). Defines the IP address of network interface on which the ESG should bind. By default, the ESG binds on all the network interfaces
  • port: 443 (default). Defines the port to use.
  • max_process: 10 (default). Defines the maximum number of processes to run on the ESG server.
  • max_connection: 100 (default). Defines the maximum number of connections that can be opened on the ESG server.
  • process_timeout: 60 (default). Defines the timeout in seconds per process
  • connection_timeout: 10 (default). Defines the timeout in seconds per connection

  • admin_redirection: true or false (default). Use this setting to allow access to the OVD Administration Console through the ESG. This parameter is deprecated with ovd 2.9. It is replaced by admin_host

  • admin_host: hostname, ip address or url. Use this setting to allow access to the OVD Administration Console through the ESG. It replace the parameter admin_redirection

  • web_client: hostname, ip address or url. Use this setting to allow access to the OVD Web access through the ESG.

  • root_redirection: Use this setting to define the root path for the Gateway. For example, enter the value /ovd to automatically redirect a connection request for https://gw.demo to https://gw.demo/ovd

  • http_keep_alive: true (default) or false. Enable or disable session keep alive.

  • certificate_path: gateway.pem (default). Location to the TLS/SSL server certificate file to use for the ESG.

Important

Don't forget to restart the slaveserver service after any configuration change.

Next steps

To finalize your installation, please follow Initial Configuration.