Skip to content

Installation and Configuration Guide

Last updated on May 04 2022.

Introduction

The purpose of this document is to describe how the different server roles of OVD Enterprise can be installed on all the supported operating systems. The OVD server roles can be installed on separate servers. This is recommended with an OVD farm in production

Note

To install any component, first follow the steps in the Prerequisites section. To perform an OVD Session Manager installation, follow steps in the OVD Session Manager (OSM) Installation and Configuration section. To perform an OVD Application Server installation, follow steps in the OVD Application Server (OAS) Installation and Configuration section. To perform an OVD File Server installation, follow the steps in the OVD File Server (OFS) Installation and Configuration section. To perform an OVD Web Access installation, follow the steps in the OVD Web Access (OWA) Installation and Configuration section.

Prerequisites

When installing a Linux distribution on your server, please ensure that the Server version is installed and not the Desktop version. Any required software packages will be installed when the OVD component is installed. Do not manually install a Graphical User Interface for desktop use or an X window environment. Failing to follow these recommendations may lead to poor system performance.

Each server you plan to install will require internet access.

Important

In this document, we are using sm.test.demo for the OSM resource name, aps.test.demo for the OAS and web.test.demo for the OVD Web Access.

You need to use the resource name that is configured for your own environment. The resource name can be the FQDN or hostname. It cannot be a URI context, protocol or port.

Version code

Throughout this document, download links will use a version code specific to the version of OVD you are using.

You will find the version code on the Inuvika OVD supported versions page. You may also contact Inuvika to request the code.

Ubuntu LTS

sudo

On an Ubuntu system, we do not use the super user (root) to install packages. It is recommended to use sudo before each command you enter.

Of course, you can choose to log in as root if you wish using:

$
sudo -s

Repository

You need to add the Inuvika Ubuntu repository to each server you plan to install.

Important

To run these commands, replace any instance of {VERSION_CODE} with the version code as described in the Version code section.

  • Install the apt-transport-https package:

    #
    apt install apt-transport-https gnupg

  • Edit the /etc/apt/sources.list.d/ovd.list file to add the following line:

    • For Ubuntu 18.04 LTS (Bionic Beaver):

      deb https://archive.inuvika.com/ovd/{VERSION_CODE}/ubuntu bionic main

    • For Ubuntu 16.04 LTS (Xenial Xerus):

      deb https://archive.inuvika.com/ovd/{VERSION_CODE}/ubuntu xenial main

  • Install the keyring package to validate the repository using gpg:

    #
    wget -O- "https://archive.inuvika.com/ovd/{VERSION_CODE}/keyring" | apt-key add -

  • Update the package database:

    #
    apt update

RHEL 7 and CentOS 7

Security-Enhanced Linux

Security-Enhanced Linux (SELinux) is a Linux kernel security module that enhances the security of your system. In RHEL and CentOS distributions, SELinux is enabled by default and runs in enforcing mode.

While OVD is fully compatible with SELinux, every role needs to be configured according to the steps provided in this document.

To verify the status of SELinux on any node, run the following command:

#
sestatus

The expected (and default) SELinux status is enabled, with current mode set to enforcing. If current mode is set topermissive, SELinux is running, but mandatory access control is not enforced. In that case, you might want to set the mode to enforcing:

  • Edit the /etc/selinux/config file and set the SELINUX variable to enforcing
    SELINUX=enforcing

Important

If SELinux is disabled and you want to enable it, follow the official Red Hat documentation: Changing SELinux States and Modes.

If you prefer to keep SELinux disabled, you can skip all SELinux configuration sections in this document.

Repository

You need to add the Inuvika RHEL/CentOS repository to each server you plan to install.

Important

To run these commands, replace any instance of {VERSION_CODE} with the version code as described in the Version code section.

  • Edit the /etc/yum.repos.d/ovd.repo file to add the following content:

    [Inuvika-ovd]
    name=Inuvika OVD
    baseurl=https://archive.inuvika.com/ovd{VERSION_CODE}/rhel/7/
    enabled=1
    gpgcheck=1
    gpgkey=https://archive.inuvika.com/ovd/{VERSION_CODE/keyring

  • For RHEL 7 only, you also need to enable the Server Optional repository:

    #
    subscription-manager repos --enable=rhel-7-server-optional-rpms

  • Install the EPEL repository:

    #
    yum install https://download.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm

    Info

    The EPEL repository is a separate repository which provides many additional software packages not provided by the default RHEL/CentOS repositories.

  • Update the package database:

    #
    yum makecache fast

Firewall and Ports

OVD requires several ports to be open in order to support different server roles. Although specific commands are provided for each component (in their corresponding section), IT Administrators should review and verify all necessary firewall rules in order to prevent possible service disruptions.

OVD Session Manager

  • Incoming traffic

    • TCP 443 (HTTPS): for communication with an end user's browser, OVD Administration Console, OVD Web Access and Enterprise Secure Gateway
    • TCP 1111 (HTTP): for communication with an OVD Application Server, OVD File Server and Enterprise Secure Gateway
  • Outgoing traffic

    • TCP 1112 (HTTP): for comunication with Enterprise Secure Gateway, OVD File Server and OVD Application Server

OVD Administration Console

  • Incoming traffic

    • TCP 443 (HTTPS) and/or TCP 80 (HTTP): for communication with an administrator's browser and the Enterprise Secure Gateway

      Note

      TCP 443 (HTTPS) will only be available if you chose to enable HTTPS access during Administration Console installation.

  • Outgoing traffic

    • TCP 443 (HTTPS): for communication with an OVD Session Manager

OVD Application Server

  • Incoming traffic

    • TCP 1112 (HTTP): for communication with the OVD Session Manager
    • TCP 3389 (RDP): for communication with the OVD Enterprise Secure Gateway, OVD Web Access and end user's browser
  • Outgoing traffic

    • TCP 1111 (HTTP): for communication with the OVD Session Manager
    • TCP 445 (CIFS): for communication with the OVD File Server

OVD File Server

  • Incoming traffic

    • TCP 1112 (HTTP): for communication with the OVD Session Manager
    • TCP 1113 (HTTP): for communication with an OVD Web Access
    • TCP 445 (CIFS): for communication with an OVD Application Server
  • Outgoing traffic

    • TCP 1111 (HTTP): for communication with the OVD Session Manager

OVD Web Access

  • Incoming traffic

    • TCP 443 (HTTPS) and/or TCP 80 (HTTP): for communication with an end user's browser and the Enterprise Secure Gateway

      Note

      TCP 443 (HTTPS) will only be available if you chose to enable HTTPS access during OVD Web Access installation.

  • Outgoing traffic

    • TCP 443 (HTTPS): for communication with an OVD Session Manager
    • TCP 3389 (RDP): for communication with an OVD Application Server
    • TCP 1113 (HTTP): for communication with an OVD File Server

Note

The above rules apply only to standard configurations. If you plan to use a different configuration (e.g. installing multiple OVD services on a single server), you may not need to apply all the rules described.

OVD Session Manager (OSM) Installation and Configuration

This server is the central piece of an OVD server farm and is always required. It manages the session establishment from a client, hosts the administration console and provides centralized management of all the OVD server resources. The OSM should be installed prior to any other server.

Inuvika provides various Linux packages for installing the OSM on a Linux server. Inuvika does not provide a Windows installer version of OSM.

Requirements

All of the following Operating Systems are supported:

  • RHEL 7.x / Centos 7.x x86-64
  • Ubuntu 18.04 LTS server (Bionic Beaver) x86-64
  • Ubuntu 16.04 LTS server (Xenial Xerus) x86-64

Minimum hardware configuration:

  • CPU: 2 Cores recommended as a minimum
  • Memory: 4 GB recommended as a minimum
  • Storage: 20 GB
  • Network: 1 GB NIC (2 for failover)

Firewall Configuration

The OSM requires specific ports to be open in your firewall. Follow the instructions below to configure default firewalls.

  • If using UFW (default firewall for Ubuntu):

    • Open port 443/TCP for inbound traffic:

      #
      ufw allow in 443/tcp

    • Open port 1111/TCP for inbound traffic:

      #
      ufw allow in 1111/tcp

    • Open port 1112/TCP for outbound traffic:

      #
      ufw allow out 1112/tcp

  • If using firewalld (default firewall for CentOS 7 and RHEL 7):

    Warning

    The following rules will open ports to communication in both directions. Administrators should review and verify all necessary firewall rules in case you need a more restrictive implementation.

    • Open port 443/TCP:

      #
      firewall-cmd --permanent --add-port=443/tcp

    • Open port 1111/TCP:

      #
      firewall-cmd --permanent --add-port=1111/tcp

    • Open port 1112/TCP:

      #
      firewall-cmd --permanent --add-port=1112/tcp

    • Activate updated firewall rules:

      #
      firewall-cmd --reload

Note

For more detailed firewall configuration, please refer to the Firewall and Ports.

Installing on Ubuntu LTS

Installing MySQL

The OSM needs access to a MySQL database. We advise you to setup the MySQL server on the same machine as the OSM to minimize network access time.

  • Install the mysql-server package:

    #
    apt install mysql-server

    A password for root will be requested.

  • Define the mysql root password if using Ubuntu 18.04 LTS (Bionic Beaver):

    #
    mysqladmin -u root password

  • Open a MySQL shell:

    #
    mysql -u root -p

    Apply the following instructions within this shell:

    1. Create a database

      mysql>
      CREATE DATABASE ovd;

    2. Create a user

      mysql>
      CREATE USER "ovd"@"%" IDENTIFIED BY "[ovd_password]";

      Warning

      Replace [ovd_password] with a secure password for this user

    3. Allow the user to operate on the database

      mysql>
      GRANT ALL PRIVILEGES ON ovd.* TO 'ovd'@'%';

    4. Reload MySQL configuration and exit the session

      mysql>
      FLUSH PRIVILEGES; exit;

Package Installation

  • Keep the default Kerberos configuration:

    #
    debconf-set-selections <<< "krb5-config krb5-config/default_realm string"

  • Install the following OVD package:

    #
    apt install inuvika-ovd-session-manager

  • The installer will prompt for an admin login and a password, and for confirmation of the password.

The OSM is now installed but not ready as the configuration requires the use of the OVD Administration Console. Please follow the next section to install the Administration Console and finish the configuration of the OSM.

Installing on RHEL 7 and CentOS 7

SELinux Configuration

Important

This configuration only applies to SELinux enabled systems. For more information please refer to section Security-Enhanced Linux

  • Install the policycoreutils-python package:

    #
    yum install policycoreutils-python

  • Allow Apache to listen on port 1111:

    #
    semanage port -at http_port_t -p tcp 1111

  • Allow Apache to listen on port 1112:

    #
    semanage port -at http_port_t -p tcp 1112

  • Change the context for files in /var/spool/ovd/:

    #
    semanage fcontext -at httpd_sys_rw_content_t "/var/spool/ovd(/.*)?"

  • Change the context for files in /var/log/ovd/session-manager/:

    #
    semanage fcontext -at collectd_rw_content_t "/var/log/ovd/session-manager(/.*)?"

  • Change the context of files in /usr/lib/fontconfig/cache/:

    #
    semanage fcontext -at fonts_cache_t "/usr/lib/fontconfig/cache(/.*)?"

  • Change the context of files in /etc/ovd/session-manager/:

    #
    semanage fcontext -at httpd_sys_rw_content_t "/etc/ovd/session-manager(/.*)?"

  • Change the context of the file /etc/ovd/session-manager/sessionmanager.cron:

    #
    semanage fcontext -at system_cron_spool_t "/etc/ovd/session-manager/sessionmanager.cron"

  • Create and deploy additional policy rules:

    1. Create and open the file /tmp/ovd_sm.te:

      #
      nano /tmp/ovd_sm.te

    2. Insert the following content and close the file:

      module ovd_sm 1.0;
      
      require {
              type useradd_t, httpd_sys_rw_content_t;
              type httpd_t, fonts_cache_t;
              class file write;
              class dir setattr;
      }
      allow useradd_t httpd_sys_rw_content_t: file write;
      allow httpd_t fonts_cache_t: dir setattr;

    3. Create a type file for the SELinux policy:

      #
      checkmodule -M -m -o /tmp/ovd_sm.mod /tmp/ovd_sm.te

    4. Package the policy:

      #
      semodule_package -o /tmp/ovd_sm.pp -m /tmp/ovd_sm.mod

    5. Install the policy:

      #
      semodule -i /tmp/ovd_sm.pp

    6. Remove temporary files:

      #
      rm -f /tmp/ovd_sm*

Installing MySQL

The OSM needs access to a MySQL database. On RHEL 7 and CentOS 7, the mysql database package is provided by mariadb. We advise you to setup the MySQL server on the same machine as the OSM to minimize network access time.

  • Install the mysql package:

    #
    yum install mariadb mariadb-server

  • To automatically start MySQL when the system boots up

    #
    systemctl enable mariadb

  • Start the service

    #
    systemctl start mariadb

  • Define the mysql root password

    #
    mysqladmin -u root password

  • Open a MySQL shell:

    #
    mysql -u root -p

    Apply the following instructions within this shell:

    1. Create a database

      mysql>
      CREATE DATABASE ovd;

    2. Create a user

      mysql>
      CREATE USER "ovd"@"%" IDENTIFIED BY "[ovd_password]";

      Warning

      Replace [ovd_password] with a secure password for this user

    3. Allow the user to operate on the database

      mysql>
      GRANT ALL PRIVILEGES ON ovd.* TO 'ovd'@'%';

    4. Reload MySQL configuration and exit the session

      mysql>
      FLUSH PRIVILEGES; exit;

Package Installation

  • Install the following OVD package:

    #
    yum install inuvika-ovd-session-manager

  • Launch the configuration tool and set admin login and password

    #
    ovd-session-manager-config

  • Enable Apache service

    #
    systemctl enable httpd

  • Start Apache service

    #
    systemctl restart httpd

The OSM is now installed but not ready as the configuration requires the use of the OVD Administration Console. Please follow the next section to install the Administration Console and finish the configuration of the OSM.

OVD Administration Console (OAC) Installation and Configuration

This OAC provides a web-based service that allows administrators to configure the OVD farm.

Inuvika provides various Linux packages for installing the OSM on a Linux server. Inuvika does not provide a Windows installer version of OAC.

Requirements

All of the following Operating Systems are supported:

  • RHEL 7.x / Centos 7.x x86-64
  • Ubuntu 18.04 LTS server (Bionic Beaver) x86-64
  • Ubuntu 16.04 LTS server (Xenial Xerus) x86-64

Minimum hardware configuration:

  • CPU: 1 Core recommended as a minimum
  • Memory: 1 GB recommended as a minimum
  • Storage: 20 GB
  • Network: 1 GB NIC

Firewall Configuration

The OAC requires specific ports to be open in your firewall. Follow the instructions below to configure default firewalls.

  • If using UFW (default firewall for Ubuntu):

    • Open port 443/TCP for inbound traffic:

      #
      ufw allow in 443/tcp

      Note

      TCP 443 (HTTPS) will only be available if you chose to enable HTTPS access during Administration Console installation.

    • Open port 80/TCP for inbound traffic:

      #
      ufw allow in 80/tcp

    • Open port 443/TCP for outbound traffic:

      #
      ufw allow out 443/tcp

  • If using firewalld (default firewall for CentOS 7 and RHEL 7):

    Warning

    The following rules will open ports to communication in both directions. Administrators should review and verify all necessary firewall rules in case you need a more restrictive implementation.

    • Open port 443/TCP:

      #
      firewall-cmd --permanent --add-port=443/tcp

    • Open port 80/TCP:

      #
      firewall-cmd --permanent --add-port=80/tcp

    • Activate updated firewall rules:

      #
      firewall-cmd --reload

Note

For more detailed firewall configuration, please refer to the Firewall and Ports.

Installing on Ubuntu LTS

  • Install the following OVD package:

    #
    apt install inuvika-ovd-administration-console

  • The installer will require the resource name of the OVD Session Manager (i.e. sm.test.demo)

  • The installer will prompt whether to enable HTTPS access to the Administration Console if it detects that HTTPS access is not already enabled on the system. If HTTPS access is enabled, after completing the installation, both HTTP and HTTPS access to the Administration Console will be available.

Installing on RHEL 7 and CentOS 7

  • Install the following OVD packages:

    #
    yum install inuvika-ovd-administration-console

  • Launch the Administration Console configuration tool

    #
    ovd-administration-console-config
    Session Manager address [127.0.0.1]:

  • Select whether to enable HTTPS access to the Administration Console. This message is displayed only if HTTPS access is not already enabled on the system. If HTTPS access is enabled, after completing the configuration, both HTTP and HTTPS access to the Administration Console will be available.

    Enable HTTPS support [yes] (yes or no):

  • Enable Apache service

    #
    systemctl enable httpd

  • Start Apache service

    #
    systemctl restart httpd

Configuration

The first step is to go to http://oac.test.demo/ovd/admin and authenticate yourself with the admin login and password you provided during installation.

The first time you log in, the system detects that it is not configured so you are redirected to a basic setup page which will save a default configuration.

On this page, you setup the MySQL configuration. For example, if you installed MySQL on the same host as described above, you would use the following configuration:

  • Database Type: MySQL
  • Database host address: 127.0.0.1
  • Database username: ovd
  • Database password: [ovd_password] (replace with the actual password you set)
  • Database name: ovd
  • Table prefix: ovd_

The OVD farm is now configured for basic use.

OVD Application Server (OAS) Installation and Configuration

OVD Enterprise is an application and desktop delivery solution. The OAS in the OVD solution is the server that hosts and serves the end user applications and desktops. It is accessed from an OVD client using an enhanced Remote Display Protocol.

An Application Server can be either a Linux system or a Windows system depending on the type of applications and desktops you want to deliver. Of course, you can mix Linux and Windows machines in an OVD farm to deliver applications seamlessly to the end user from different application servers. The user load will be load-balanced by the OSM among the available application servers to provide a better distribution of server resources.

Requirements

Windows

All of the following Operating Systems are supported:

  • Windows 2019 with Remote Desktop Services
  • Windows 2016 with Remote Desktop Services
  • Windows 2012 R2 with Remote Desktop Services

Minimum hardware configuration:

  • CPU: 4 cores recommended as a minimum
  • Memory: 8 GB recommended as a minimum
  • Storage: 50+ GB. High speed disks with RAID-1 (15krpm, SSDs or SAN disks).
  • Network: 1 GB NIC

Important

Inuvika does not recommend you use Windows Server Essentials because the Remote Desktop Session Host role may not be installed. The connection limit is set to only two concurrent users in this case.

Firewall Configuration

The OAS requires specific ports to be open in your firewall. Follow the instructions below to open ports on the Windows Firewall using netsh via Command Prompt (run as administrator).

For any other type of firewall, please refer to its official documentation to open the ports described below.

  • Open port 1112/TCP for inbound traffic:

    >
    netsh advfirewall firewall add rule name="OAS http" dir=in action=allow protocol=TCP localport=1112

  • Open port 3389/TCP for inbound traffic:

    >
    netsh advfirewall firewall add rule name="OAS rdp" dir=in action=allow protocol=TCP localport=3389

  • Open port 1111/TCP for outbound traffic:

    >
    netsh advfirewall firewall add rule name="OAS rdp" dir=out action=allow protocol=TCP localport=1111

  • Open port 445/TCP for outbound traffic:

    >
    netsh advfirewall firewall add rule name="OAS cifs" dir=out action=allow protocol=TCP localport=445

Note

For more detailed firewall configuration, please refer to the Firewall and Ports.

Linux

All of the following Operating Systems are supported:

  • RHEL 7.x / Centos 7.x x86-64
  • Ubuntu 18.04 LTS server (Bionic Beaver) x86-64
  • Ubuntu 16.04 LTS server (Xenial Xerus) x86-64

Minimum hardware configuration:

  • CPU: 4 cores recommended as a minimum
  • Memory: 8 GB recommended as a minimum
  • Storage: 50+ GB. High speed disks with RAID-1 (15krpm, SSDs or SAN disks).
  • Network: 1 GB NIC
Firewall Configuration

The OAS requires specific ports to be open in your firewall. Follow the instructions below to configure default firewalls.

  • If using UFW (default firewall for Ubuntu):

    • Open port 1112/TCP for inbound traffic:

      #
      ufw allow in 1112/tcp

    • Open port 3389/TCP for inbound traffic:

      #
      ufw allow in 3389/tcp

    • Open port 1111/TCP for outbound traffic:

      #
      ufw allow out 1111/tcp

    • Open port 445/TCP for outbound traffic:

      #
      ufw allow out 445/tcp

  • If using firewalld (default firewall for CentOS 7 and RHEL 7):

    Warning

    The following rules will open ports to communication in both directions. Administrators should review and verify all necessary firewall rules in case you need a more restrictive implementation.

    • Open port 1112/TCP:

      #
      firewall-cmd --permanent --add-port=1112/tcp

    • Open port 3389/TCP:

      #
      firewall-cmd --permanent --add-port=3389/tcp

    • Open port 1111/TCP

      #
      firewall-cmd --permanent --add-port=1111/tcp

    • Open port 445/TCP

      #
      firewall-cmd --permanent --add-port=445/tcp

    • Activate updated firewall rules:

      #
      firewall-cmd --reload

Note

For more detailed firewall configuration, please refer to the Firewall and Ports section.

Requirement for the nls_utf8 kernel module

The OVD Application Server requires the nls_utf8 kernel module to be installed on the system.

This module is installed by the distribution’s default Linux kernel. However, some cloud-based environments may provide their own custom Linux kernel and these kernels are not guaranteed to include nls_utf8.

Info

This section is not required when using a default Linux kernel. Typically linux-image-generic on Ubuntu.

To verify if the module is installed on the system, run the following command:

#
modprobe nls_utf8

If the command returns an error, it means that the module is not installed. In this case, try the following alternatives:

  • Search if the module is provided by a package that can be installed.

    For example, when using Ubuntu's default kernels, the module is provided by the linux-modules-extra or linux-image-extra packages.

    Check if the kernel provides such extra packages:

    #
    apt list "linux-*-$(uname -r)*"

  • Contact your Cloud provider to request the support of nls_utf8

  • Switch to a different kernel, such as the distribution's default kernel

Installing on Microsoft Windows

The Microsoft Remote Desktop Session Host (RDSH) role must be deployed, configured, and properly licensed. For more information about Microsoft Remote Desktop licensing, please visit the corresponding section of the official Microsoft documentation: Remote Desktop Licensing.

Important

The Windows server may run in a workgroup or be a member of an Active Directory domain but must not run as a domain controller.

Enabling Network Level Authentication (NLA) on Microsoft RDS is optional but strongly recommended.

Before installing the OAS, the Inuvika OVD Session Manager (OSM) must be installed and running. Furthermore if the RDSH role has just been installed, the server must be rebooted before installing the OAS.

Inuvika provides two Windows installers for the OAS:

  • An .exe setup (recommended)
  • An .msi package

Installation using the .exe setup is recommended because it ships all dependencies whereas the .msi package is provided for automation purposes (auto-deployement) and requires the installation of external dependencies.

Dependencies for the MSI package

Before installing the MSI package, you will need to install the following dependencies:

  • Microsoft Visual C++ Redistributable for Visual Studio 2017 - x86
  • Microsoft Visual C++ Redistributable for Visual Studio 2017 - x64 (When using OVD version 3.1+)
  • Microsoft Visual C++ Redistributable for Visual Studio 2008 - x86 (When using OVD versions prior to 3.1)

Visit the Microsoft website for the latest versions.

In addition, you may want to visit the following Chocolatey references as Inuvika has validated them for automation: vcredist2017 & vcredist2008.

Download the OAS installer from this location: https://archive.inuvika.com/ovd/{VERSION_CODE}

Important

Replace {VERSION_CODE} with the version code as described in the Version code section.

Copy the OAS installer to the Windows Server machine you wish to install it on and run it.

The only installation data required is resource name of the OVD Session Manager. We use sm.test.demo here as an example, but of course, you have to specify your own domain name.

When the installation is complete, the Windows OVD service should be configured and running. To check go to the Windows Services, browse to OVD agent and look at the status.

The server should appear in the list of Unregistered Servers in the OVD Administration Console.

If your server does not show up in the list, you might have a DNS configuration issue.

Installing on Ubuntu LTS

  • Keep the default davfs2 configuration:

    #
    debconf-set-selections <<< "davfs2 davfs2/suid_file boolean false"

  • Install the OAS packages:

    #
    apt install inuvika-ovd-slaveserver-role-aps inuvika-ovd-desktop

  • The only information required is the resource name where the OSM can be accessed. We use sm.test.demo in this example, but of course, you have to use your own resource name.

    Important

    If you choose to install OAS on the same machine as OSM, enter 127.0.0.1 for the resource name.

The server should appear in the list of Unregistered Servers in the OVD Administration Console.

If your server does not show up in the list, you might have a DNS configuration issue.

Installing on RHEL 7 and CentOS 7

SELinux Configuration

Important

This configuration only applies to SELinux enabled systems. For more information please refer to section Security-Enhanced Linux

  • Install policycoreutils-python package

    #
    yum install policycoreutils-python

  • Change context for files in /var/spool/xrdp_printer/

    #
    semanage fcontext -at print_spool_t "/var/spool/xrdp_printer(/.*)"

  • Create and deploy additional policy rules

    1. Create and open a file /tmp/ovd_aps.te

      #
      nano /tmp/ovd_aps.te

    2. Insert following content and close the file

      module ovd_aps 1.0;
      
      require {
              type smbd_t, cupsd_var_run_t;
              type logwatch_mail_t, logwatch_cache_t;
              type pulseaudio_t, httpd_sys_rw_content_t, system_dbusd_t;
              type initrc_var_run_t, fusefs_t, initrc_state_t;
              class file { append create getattr lock open read write };
              class dir { add_name create read setattr write };
              class sock_file read;
      }
      
      allow smbd_t cupsd_var_run_t:sock_file read;
      allow logwatch_mail_t logwatch_cache_t:dir { add_name write };
      allow logwatch_mail_t logwatch_cache_t:file { append create getattr open };
      allow system_dbusd_t httpd_sys_rw_content_t: file { append };
      allow pulseaudio_t httpd_sys_rw_content_t: file { read write };
      allow pulseaudio_t fusefs_t:dir { add_name create read write };
      allow pulseaudio_t initrc_var_run_t:file { read write };
      allow pulseaudio_t fusefs_t:file { create getattr lock open read write };
      allow pulseaudio_t initrc_state_t:file { getattr read write };

    3. Create a type file for SELinux policy

      #
      checkmodule -M -m -o /tmp/ovd_aps.mod /tmp/ovd_aps.te

    4. Package policy

      #
      semodule_package -o /tmp/ovd_aps.pp -m /tmp/ovd_aps.mod

    5. Install policy

      #
      semodule -i /tmp/ovd_aps.pp

    6. Remove temporary files

      #
      rm -f /tmp/ovd_aps*

Package Installation

  • Install the cups package:

    #
    yum install cups

  • Configure the cups service:

    #
    systemctl enable cups

  • Start the cups service:

    #
    systemctl restart cups

  • Install the OAS packages:

    #
    yum install inuvika-ovd-slaveserver-role-aps inuvika-ovd-desktop

  • For OVD version >= 3.1

    • Enable the XRDP services

      #
      systemctl enable xrdp-log.service xrdp-sesman.service xrdp-printer.service xrdp.service

    • Start the XRDP services

      #
      systemctl start xrdp-log.service xrdp-sesman.service xrdp-printer.service xrdp.service

  • Register host/IP address of the OVD Session Manager:

    #
    ovd-slaveserver-config --sm-address sm.test.demo

    Important

    If you choose to install OAS on the same machine as OSM, enter 127.0.0.1 for the resource name.

  • Enable the ovd-slaveserver service

    #
    systemctl enable ovd-slaveserver

  • Reboot the server

    #
    reboot

The server should appear in the list of Unregistered Servers in the OVD Administration Console.

If your server does not show up in the list, you might have a DNS configuration issue.

Registering the Server and Publishing Applications

In the Administration Console, click register to register your application server and switch it from "maintenance" to "production" mode.

Any applications that were available on the server should now be listed in the Administration Console.

You can enter the desired Display name of the server which is the field used in the Administration Console to identify the server.

The next step is to create the required publications so that authorized users can access the applications they require. A publication links an application group to a user group so that users in the user group have access to the applications in the application group. You should plan how best to allocate your publications but to get started try adding some applications to an existing Application Group so that users will be authorized to run those applications. If you do not have any existing Application Groups, please refer to the Inuvika OVD Administration Guide first.

Launching a Session

If you launch a session, you should be able to access to your applications from the application menu and from desktop icons if you did not disable that option in the Administration Console.

Internal System

Examining the Windows Agent Log

In a default Windows installation, the log file can be found at C:\ProgramData\OVD\slaveserver\log.

It's also possible to read view messages in the Windows Event Viewer (in the Application section).

User Isolation (Optional)

By giving access to the same Application Server to different user sessions, connected users may find several ways to be aware of each other. Users should not have any rights to view or alter another user’s data but the default Operating System rules can allow users to list existing user accounts and access this data.

Our recommendation, as part of our OVD Best Practices, is to change the Operating System’s default access rules for the home directory base folders.

  • Windows: C:\Users

    >
    icacls C:\Users /deny "OVDUsers:(NP)(RD)"

    Additionally, you can also apply the following rule which will prevent OVD Users from creating content in C:\.

    >
    icacls C:\ /deny "OVDUsers:(NP)(W)"

  • Linux: /home

    #
    chmod o-rw /home/

Deactivation of Windows Security on Windows Server 2019 (Optional)

As of Windows Server 2019, the new application Windows Security grants users read-access for critical configurations (firewall, antivirus, device security, etc...). Modifications of these permissions are controlled by the User Account Control (UAC).

Our recommendation, as part of our OVD Best Practices, is to remove user access for Windows Security. Administrators will still be able to access it after this is done.

  • Remove access for the Users Group:

    1. Set environmental variable

      >
      set WS=%SystemRoot%\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe

    2. Remove ownership

      >
      takeown /f %WS%

    3. Remove access

      >
      icacls %WS% /deny "Users:(X)"

OVD File Server (OFS) Installation and Configuration

Within OVD, the OFS provides a centralized file management system that enables users to access the same files independently of which application server is used to provide the application. OFS provides a network file system that the OAS Servers are able to access when users are running sessions. It is used to provide access to both user profiles, and data folders and files.

The OFS is available for Linux based servers only. In a small OVD server farm, the OFS may reside on the same physical machine as the OAS. In larger installations, the OFS would typically be installed on dedicated hardware.

Requirements

All of the following Operating Systems are supported:

  • RHEL 7.x / Centos 7.x x86-64
  • Ubuntu 18.04 LTS server (Bionic Beaver) x86-64
  • Ubuntu 16.04 LTS server (Xenial Xerus) x86-64

Minimum hardware configuration:

  • CPU: 2 cores (4 cores recommended)
  • Memory: 2 GB (4 GB recommended)
  • Storage: 100+ GB. High speed disks with RAID-1 (15krpm, SSDs or SAN disks).
  • Network: 1 GB NIC

Firewall Configuration

The OFS requires specific ports to be open in your firewall. Follow the instructions below to configure default firewalls.

  • If using UFW (default firewall for Ubuntu):

    • Open port 1112/TCP for inbound traffic:

      #
      ufw allow in 1112/tcp

    • Open port 1113/TCP for inbound traffic:

      #
      ufw allow in 1113/tcp

    • Open port 445/TCP for inbound traffic:

      #
      ufw allow in 445/tcp

    • Open port 1111/TCP for outbound traffic:

      #
      ufw allow out 1111/tcp

  • If using firewalld (default firewall for CentOS 7 and RHEL 7):

    Warning

    The following rules will open ports to communication in both directions. Administrators should review and verify all necessary firewall rules in case you need a more restrictive implementation.

    • Open port 1112/TCP:

      #
      firewall-cmd --permanent --add-port=1112/tcp

    • Open port 1113/TCP:

      #
      firewall-cmd --permanent --add-port=1113/tcp

    • Open port 445/TCP

      #
      firewall-cmd --permanent --add-port=445/tcp

    • Open port 1111/TCP

      #
      firewall-cmd --permanent --add-port=1111/tcp

    • Activate updated firewall rules:

      #
      firewall-cmd --reload

Note

For more detailed firewall configuration, please refer to the Firewall and Ports.

Installing on Ubuntu LTS

  • Install the OFS package:

    #
    apt install inuvika-ovd-slaveserver-role-fs

  • The only information required is the resource name where the OSM can be accessed. We use sm.test.demo here for the example, but of course, you have to set your own domain name.

Important

If you choose to install OFS on the same machine as OSM, enter 127.0.0.1 for the resource name.

The server should appear in the list of Unregistered Servers in the OVD Administration Console.

If your server does not show up in the list, you might have a DNS configuration issue.

Installing on RHEL 7 and CentOS 7

SELinux Configuration

Important

This configuration only applies to SELinux enabled systems. For more information please refer to section Security-Enhanced Linux

  • Install the policycoreutils-python package:

    #
    yum install policycoreutils-python

  • Allow Apache to access ntfs/fusefs volumes:

    #
    setsebool -P httpd_use_fusefs=1

  • Allow Samba to export ntfs/fusefs volumes:

    #
    setsebool -P samba_share_fusefs=1

  • Allow Apache to listen on port 1113:

    #
    semanage port -at http_port_t -p tcp 1113

  • Change the context for files in var/lib/ovd/slaveserver/fileserver-data/:

    #
    semanage fcontext -at httpd_user_rw_content_t "/var/lib/ovd/slaveserver/fileserver-data(/.*)?"

  • Create and deploy additional policy rules:

    1. Create and open the file /tmp/ovd_fs.te:

      #
      nano /tmp/ovd_fs.te

    2. Insert the following content and close the file:

      module ovd_fs 1.0;
      
      require {
              type logwatch_mail_t;
              type logwatch_cache_t;
              class dir { add_name write };
              class file { append create getattr open };
      }
      
      allow logwatch_mail_t logwatch_cache_t:dir { add_name write };
      allow logwatch_mail_t logwatch_cache_t:file { append create getattr open };

    3. Create a type file for the SELinux policy:

      #
      checkmodule -M -m -o /tmp/ovd_fs.mod /tmp/ovd_fs.te

    4. Package the policy:

      #
      semodule_package -o /tmp/ovd_fs.pp -m /tmp/ovd_fs.mod

    5. Install the policy:

      #
      semodule -i /tmp/ovd_fs.pp

    6. Remove temporary files:

      #
      rm -f /tmp/ovd_fs*

Package Installation

  • Install the samba package:

    #
    yum install samba

  • Enable samba service

    #
    systemctl enable smb

  • Restart samba service

    #
    systemctl restart smb

  • Install the OFS package:

    #
    yum install inuvika-ovd-slaveserver-role-fs

  • Register host/IP address of the OVD Session Manager:

    #
    ovd-slaveserver-config --sm-address sm.test.demo

    Important

    If you choose to install OFS on the same machine as OSM, enter 127.0.0.1 for the resource name.

  • Enable the ovd-slaveserver service:

    #
    systemctl enable ovd-slaveserver

  • Reboot the server:

    #
    reboot

The server should appear in the list of Unregistered Servers in the OVD Administration Console.

If your server does not show up in the list, you might have a DNS configuration issue.

OVD Web Access (OWA) Installation and Configuration

The OWA server is responsible for managing browser-based client sessions. This requires an HTML5 compliant browser on the client machine but no software needs to be installed on the client machine. The OVD session can be tunneled over an SSL session for secure data transmission.

For small installations, it is possible to install OWA on the same machine as the OSM. For larger installations it is recommended to install one or more OWA systems on their OWA server and to load-balance the servers for optimal performance.

In this example, we are using web.test.demo as the OWA resource name.

Requirements

All of the following Operating Systems are supported:

  • RHEL 7.x / Centos 7.x x86-64
  • Ubuntu 18.04 LTS server (Bionic Beaver) x86-64
  • Ubuntu 16.04 LTS server (Xenial Xerus) x86-64

Minimum hardware configuration:

  • CPU: 2 cores recommended as a minimum
  • Memory: 4 GB recommended as a minimum
  • Storage: 20 GB
  • Network: 1 GB NIC (2 for failover)

Firewall Configuration

The OWA requires specific ports to be open in your firewall. Follow the instructions below to configure default firewalls.

  • If using UFW (default firewall for Ubuntu):

    • Open port 443/TCP for inbound traffic:

      #
      ufw allow in 443/tcp

      Note

      TCP 443 (HTTPS) will only be available if you chose to enable HTTPS access during Administration Console installation.

    • Open port 80/TCP for inbound traffic:

      #
      ufw allow in 80/tcp

    • Open port 443/TCP for outbound traffic:

      #
      ufw allow out 443/tcp

    • Open port 3389/TCP for outbound traffic:

      #
      ufw allow out 3389/tcp

    • Open port 1113/TCP for outbound traffic:

      #
      ufw allow out 1113/tcp

  • If using firewalld (default firewall for CentOS 7 and RHEL 7):

    Warning

    The following rules will open ports to communication in both directions. Administrators should review and verify all necessary firewall rules in case you need a more restrictive implementation.

    • Open port 443/TCP:

      #
      firewall-cmd --permanent --add-port=443/tcp

    • Open port 80/TCP:

      #
      firewall-cmd --permanent --add-port=80/tcp

    • Open port 3389/TCP

      #
      firewall-cmd --permanent --add-port=3389/tcp

    • Open port 1113/TCP

      #
      firewall-cmd --permanent --add-port=1113/tcp

    • Activate updated firewall rules:

      #
      firewall-cmd --reload

Note

For more detailed firewall configuration, please refer to the Firewall and Ports.

Installing on Ubuntu LTS

  • Install the OWA package:

    #
    apt install inuvika-ovd-web-access

  • During the installation, you will be asked if you want to connect the OWA to an existing OSM.

  • If you answered "yes" for the previous question, you will be prompted to enter the resource name of the OSM. In our example: sm.test.demo.

  • The installer will prompt whether to enable HTTPS access to the OWA if it detects that HTTPS access is not already enabled on the system. If HTTPS access is enabled, after completing the installation, both HTTP and HTTPS access to the OWA will be available.

To access the OWA, navigate to http://web.test.demo/ovd/ using a web browser.

Installing on RHEL 7 and CentOS 7

SELinux Configuration

Important

This configuration only applies to SELinux enabled systems. For more information please refer to section Security-Enhanced Linux

  • Install the policycoreutils-python package:

    #
    yum install policycoreutils-python

  • Allow Apache to connect to the network:

    #
    setsebool -P httpd_can_network_connect=1

Package Installation

  • Install the OWA package:

    #
    yum install inuvika-ovd-web-access

  • Launch the configuration tool and set the IP for the OSM:

    #
    ovd-web-access-config

    Session Manager address [127.0.0.1]:
  • Select whether to enable HTTPS access to the OWA. This message is displayed only if HTTPS access is not already enabled on the system. If HTTPS access is enabled, after completing the installation, both HTTP and HTTPS access to the OWA will be available.

    Enable HTTPS support [yes] (yes or no):
  • Enable the Tomcat service

    #
    systemctl enable tomcat

  • Start the Tomcat service

    #
    systemctl restart tomcat

  • When using OVD version 3.1+

    • Enable guacamole service

      #
      systemctl enable guacamole

    • Start guacamole service

      #
      systemctl restart guacamole

  • When using OVD version prior to version 3.1

    • Enable guacd service

      #
      systemctl enable guacamole

    • Start guacd service

      #
      systemctl restart guacamole

  • Enable Apache service

    #
    systemctl enable httpd

  • Start Apache service

    #
    systemctl restart httpd

To access the OWA, navigate to http://web.test.demo/ovd/ using a web browser.

Finalize the installation

Once all required OVD components have been successfully installed, there are a few additional items to configure / verify before the service is ready to use.

Install a proper SSL/TLS Certificates on the OVD farms entry points

The OVD farm requires the use of an X.509 certificate for secure communication.

Self-signed certificates are not for production use. Self-signed certificates are generated during the installation, but this is only designed for evaluation purposes.

Without a signed certificate installed, all users will receive a security warning in their browsers preventing them from accessing the service.

Warning

Before switching your OVD service to production or even deploying to a significant number of users, you must replace the self-signed certificate with a signed certificate obtained from a Certificate issuer.

Certificates must be installed on each node that hosts an HTTPs access:

  • OSM / OAC / OUC
  • OWA
  • ESG

Design a validation plan

Finally, Inuvika recommends defining some form of acceptance criteria and a basic validation plan that will be used as a reference when updating and complexifing the OVD farm.

Keep notes about information on servers (VMs, IP addresses, roles) and any custom / non-standard configurations that you may have performed.

Back to top