Installation and Configuration Guide¶

Last updated on Sep 07 2023.

Introduction¶

The purpose of this document is to describe how the different server roles of OVD Enterprise can be installed on all the supported operating systems. The OVD server roles can be installed on separate servers. This is recommended with an OVD farm in production

Note

To install any component, first follow the steps in the Prerequisites section. To perform an OVD Session Manager installation, follow steps in the OVD Session Manager (OSM) Installation and Configuration section. To perform an OVD Application Server installation, follow steps in the OVD Application Server (OAS) Installation and Configuration section. To perform an OVD File Server installation, follow the steps in the OVD File Server (OFS) Installation and Configuration section. To perform an OVD Web Access installation, follow the steps in the OVD Web Access (OWA) Installation and Configuration section.

Prerequisites¶

When installing a Linux distribution on your server, please ensure that the Server version is installed and not the Desktop version. Any required software packages will be installed when the OVD component is installed. Do not manually install a Graphical User Interface for desktop use or an X window environment. Failing to follow these recommendations may lead to poor system performance.

Each server you plan to install will require internet access.

Important

In this document, we are using sm.test.demo for the OSM resource name, oac.test.demo for the OAC, aps.test.demo for the OAS and web.test.demo for the OVD Web Access.

You need to use the resource name that is configured for your own environment. The resource name can be an IP address, an FQDN or a hostname. It cannot be a URI context, a protocol or a port.

Version code¶

Throughout this document, download links will use a version code specific to the version of OVD you are using.

You will find the version code on the Inuvika OVD supported versions page. You may also contact Inuvika to request the code.

Ubuntu LTS¶

sudo¶

On an Ubuntu system, we do not use the super user (root) to install packages. It is recommended to use sudo before each command you enter.

Of course, you can choose to log in as root if you wish using:

^$
$	`sudo -s`

Repository¶

You need to add the Inuvika Ubuntu repository to each server you plan to install.

Important

To run these commands, replace any instance of {VERSION_CODE} with the version code as described in the Version code section.

Update the package database:
^#
#
apt update
Upgrade all currently installed packages:
^#
#
apt upgrade
Install the apt-transport-https package:
^#
#
apt install apt-transport-https gnupg
Create a file /etc/apt/sources.list.d/ovd.list and add the following line:
- For Ubuntu 22.04 LTS (Jammy Jellyfish, for OVD version >= 3.2.1):
```
deb https://archive.inuvika.com/ovd/{VERSION_CODE}/ubuntu jammy main
```
- For Ubuntu 18.04 LTS (Bionic Beaver):
```
deb https://archive.inuvika.com/ovd/{VERSION_CODE}/ubuntu bionic main
```
- For Ubuntu 16.04 LTS (Xenial Xerus, for OVD version < 3.2):
```
deb https://archive.inuvika.com/ovd/{VERSION_CODE}/ubuntu xenial main
```

Install the keyring package to validate the repository using gpg:

For Ubuntu >= 22.04:

wget "https://archive.inuvika.com/ovd/{VERSION_CODE}/keyring" -O /etc/apt/trusted.gpg.d/ovd.asc

For Ubuntu < 22.04:

wget -O- "https://archive.inuvika.com/ovd/{VERSION_CODE}/keyring" | apt-key add -

Update the package database:
^#
#
apt update

RHEL and CentOS¶

Security-Enhanced Linux¶

Security-Enhanced Linux (SELinux) is a Linux kernel security module that enhances the security of your system. In RHEL and CentOS distributions, SELinux is enabled by default and runs in enforcing mode.

While OVD is fully compatible with SELinux, every role needs to be configured according to the steps provided in this document.

To verify the status of SELinux on any node, run the following command:

^#
#	`sestatus`

The expected (and default) SELinux status is enabled, with current mode set to enforcing. If current mode is set topermissive, SELinux is running, but mandatory access control is not enforced. In that case, you might want to set the mode to enforcing:

Edit the /etc/selinux/config file and set the SELINUX variable to enforcing
```
SELINUX=enforcing
```

Important

If SELinux is disabled and you want to enable it, follow the official Red Hat documentation: Changing SELinux States and Modes.

If you prefer to keep SELinux disabled, you can skip all SELinux configuration sections in this document.

Repository¶

You need to add the Inuvika RHEL/CentOS repository to each server you plan to install.

Important

To run these commands, replace any instance of {VERSION_CODE} with the version code as described in the Version code section.

Edit the /etc/yum.repos.d/ovd.repo file to add the following content:

For RHEL 8

[Inuvika-ovd]
name=Inuvika OVD
baseurl=https://archive.inuvika.com/ovd/{VERSION_CODE}/rhel/8/
enabled=1
gpgcheck=1
gpgkey=https://archive.inuvika.com/ovd/{VERSION_CODE}/keyring

For RHEL 7 and CentOS 7

[Inuvika-ovd]
name=Inuvika OVD
baseurl=https://archive.inuvika.com/ovd/{VERSION_CODE}/rhel/7/
enabled=1
gpgcheck=1
gpgkey=https://archive.inuvika.com/ovd/{VERSION_CODE}/keyring

For RHEL 7 only, you also need to enable the Server Optional repository:
^#
#
subscription-manager repos --enable=rhel-7-server-optional-rpms

Install the EPEL repository:

For RHEL 8

^#
#	`subscription-manager repos --enable=codeready-builder-for-rhel-8-x86_64-rpms`

^#
#	`yum install https://download.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm`

For RHEL 7 and CentOS 7

^#
#	`yum install https://download.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm`

Info

The EPEL repository is a separate repository which provides many additional software packages not provided by the default RHEL/CentOS repositories.

Update the package database:
- For RHEL 8
  ^#
  #
  yum makecache
- For RHEL 7 and CentOS 7
  ^#
  #
  yum makecache fast

Firewall and Ports¶

OVD requires several ports to be open in order to support different server roles. Although specific commands are provided for each component (in their corresponding section), IT Administrators should review and verify all necessary firewall rules in order to prevent possible service disruptions.

Following diagram describes the communication between different OVD roles and corresponding port numbers.

OVD Ports

OVD Session Manager

Incoming traffic
- TCP 443 (HTTPS): for communication with an end user's browser, OVD Administration Console, OVD Web Access and Enterprise Secure Gateway
- TCP 1111 (HTTP): for communication with an OVD Application Server, OVD File Server and Enterprise Secure Gateway
Outgoing traffic
- TCP 1112 (HTTP): for comunication with Enterprise Secure Gateway, OVD File Server and OVD Application Server

OVD Administration Console

Incoming traffic
- TCP 443 (HTTPS) and/or TCP 80 (HTTP): for communication with an administrator's browser and the Enterprise Secure Gateway
  
  Note
  
  TCP 443 (HTTPS) will only be available if you chose to enable HTTPS access during Administration Console installation.
Outgoing traffic
- TCP 443 (HTTPS): for communication with an OVD Session Manager

OVD Application Server

Incoming traffic
- TCP 1112 (HTTP): for communication with the OVD Session Manager
- TCP 3389 (RDP): for communication with the OVD Enterprise Secure Gateway, OVD Web Access and end user's browser
Outgoing traffic
- TCP 1111 (HTTP): for communication with the OVD Session Manager
- TCP 445 (CIFS): for communication with the OVD File Server

OVD File Server

Incoming traffic
- TCP 1112 (HTTP): for communication with the OVD Session Manager
- TCP 1113 (HTTP): for communication with an OVD Web Access
- TCP 445 (CIFS): for communication with an OVD Application Server
Outgoing traffic
- TCP 1111 (HTTP): for communication with the OVD Session Manager

OVD Web Access

Incoming traffic
- TCP 1112 (HTTP): for communication with the OVD Session Manager (for OVD version >= 3.3.0)
- TCP 443 (HTTPS) and/or TCP 80 (HTTP): for communication with an end user's browser and the Enterprise Secure Gateway
  
  Note
  
  TCP 443 (HTTPS) will only be available if you chose to enable HTTPS access during OVD Web Access installation.
Outgoing traffic
- TCP 1111 (HTTP): for communication with the OVD Session Manager (for OVD version >= 3.3.0)
- TCP 443 (HTTPS): for communication with an OVD Session Manager
- TCP 3389 (RDP): for communication with an OVD Application Server
- TCP 1113 (HTTP): for communication with an OVD File Server

Note

The above rules apply only to standard configurations. If you plan to use a different configuration (e.g. installing multiple OVD services on a single server), you may not need to apply all the rules described.

OVD Session Manager (OSM) Installation and Configuration¶

This server is the central piece of an OVD server farm and is always required. It manages the session establishment from a client, hosts the administration console and provides centralized management of all the OVD server resources. The OSM should be installed prior to any other server.

Inuvika provides various Linux packages for installing the OSM on a Linux server. Inuvika does not provide a Windows installer version of OSM.

Requirements¶

All of the following Operating Systems are supported:

RHEL 8 64-bit (for OVD version >= 3.3.0)
RHEL 7 / Centos 7 64-bit
Ubuntu 22.04 LTS server (Jammy Jellyfish) 64-bit (for OVD version >= 3.2.1)
Ubuntu 18.04 LTS server (Bionic Beaver) 64-bit
Ubuntu 16.04 LTS server (Xenial Xerus) 64-bit (for OVD version < 3.2)

Minimum hardware configuration:

CPU: 2 Cores recommended as a minimum
Memory: 4 GB recommended as a minimum
Storage: 20 GB
Network: 1 GB NIC (2 for failover)

Firewall Configuration¶

The OSM requires specific ports to be open in your firewall. Follow the instructions below to configure default firewalls.

If using UFW (default firewall for Ubuntu):
- Open port 443/TCP for inbound traffic:
  ^#
  #
  ufw allow in 443/tcp
- Open port 1111/TCP for inbound traffic:
  ^#
  #
  ufw allow in 1111/tcp
- Open port 1112/TCP for outbound traffic:
  ^#
  #
  ufw allow out 1112/tcp
If using firewalld (default firewall for RHEL and CentOS):

Warning

The following rules will open ports to communication in both directions. Administrators should review and verify all necessary firewall rules in case you need a more restrictive implementation.
- Open port 443/TCP:
  ^#
  #
  firewall-cmd --permanent --add-port=443/tcp
- Open port 1111/TCP:
  ^#
  #
  firewall-cmd --permanent --add-port=1111/tcp
- Open port 1112/TCP:
  ^#
  #
  firewall-cmd --permanent --add-port=1112/tcp
- Activate updated firewall rules:
  ^#
  #
  firewall-cmd --reload

Note

For more detailed firewall configuration, please refer to the Firewall and Ports.

Installing on Ubuntu LTS¶

Installing MySQL¶

The OSM needs access to a MySQL database. We advise you to setup the MySQL server on the same machine as the OSM to minimize network access time.

Install the mysql-server package
^#
#
apt install mysql-server
Note

If using Ubuntu 16.04 LTS, a new password for the root will be requested during the installation process.
Define the MySQL root password unless using Ubuntu 16.04 LTS (Xenial Xerus)
^#
#
mysqladmin -u root password
Open a MySQL shell
^#
#
mysql -u root -p
Apply the following instructions within this shell
1. Create a database
  ^mysql>
  mysql>
  CREATE DATABASE ovd;
2. Create a user, replacing a placeholder [ovd_password] with a secure password for this user
  ^mysql>
  mysql>
  CREATE USER "ovd"@"localhost" IDENTIFIED BY "[ovd_password]";
3. Allow the user to operate on the database
  ^mysql>
  mysql>
  GRANT ALL PRIVILEGES ON ovd.* TO 'ovd'@'localhost';
4. Reload MySQL configuration and exit the session
  ^mysql>
  mysql>
  FLUSH PRIVILEGES; exit;

Package Installation¶

Keep the default Kerberos configuration:

^#
#	`debconf-set-selections <<< "krb5-config krb5-config/default_realm string"`

Install the following OVD package:

^#
#	`apt install inuvika-ovd-session-manager`

The installer will prompt for an admin login and a password, and for confirmation of the password.

The OSM is now installed but not yet ready as the configuration requires the use of the OVD Administration Console. Please follow the next section to install the Administration Console and finish the configuration of the OSM.

Installing on RHEL and CentOS¶

SELinux Configuration¶

Important

This configuration only applies to SELinux enabled systems. For more information please refer to section Security-Enhanced Linux

Install the policycoreutils-python package:
- For RHEL 8
  ^#
  #
  yum install python3-policycoreutils
- For RHEL 7 and CentOS 7
  ^#
  #
  yum install policycoreutils-python

Allow Apache to listen on port 1111:

^#
#	`semanage port -at http_port_t -p tcp 1111`

Allow Apache to listen on port 1112:

^#
#	`semanage port -at http_port_t -p tcp 1112`

Allow http daemon to send mail:
^#
#
setsebool -P httpd_can_sendmail=1
Add required capabilities for php-fpm:
^#
#
setsebool -P httpd_execmem=1
Allow password change:
^#
#
setsebool -P nis_enabled=1
Allow Apache to connect to AD/LDAP server:
^#
#
setsebool -P httpd_can_connect_ldap=1

Change the context for files in /var/spool/ovd/:

^#
#	`semanage fcontext -at httpd_sys_rw_content_t "/var/spool/ovd(/.*)?"`

Change the context for files in /var/log/ovd/session-manager/:

^#
#	`semanage fcontext -at collectd_rw_content_t "/var/log/ovd/session-manager(/.*)?"`

Change the context of files in /usr/lib/fontconfig/cache/:

^#
#	`semanage fcontext -at fonts_cache_t "/usr/lib/fontconfig/cache(/.*)?"`

Change the context of files in /etc/ovd/session-manager/:

^#
#	`semanage fcontext -at httpd_sys_rw_content_t "/etc/ovd/session-manager(/.*)?"`

Change the context of the file /etc/ovd/session-manager/sessionmanager.cron:

^#
#	`semanage fcontext -at system_cron_spool_t "/etc/ovd/session-manager/sessionmanager.cron"`

Create and deploy additional policy rules:

Create and open the file /tmp/ovd_sm.te:
^#
#
nano /tmp/ovd_sm.te

Insert the following content and close the file:

module ovd_sm 1.0;

require {
        type useradd_t, httpd_sys_rw_content_t;
        type httpd_t, fonts_cache_t;
        class file write;
        class dir setattr;
}
allow useradd_t httpd_sys_rw_content_t: file write;
allow httpd_t fonts_cache_t: dir setattr;

Create a type file for the SELinux policy:

^#
#	`checkmodule -M -m -o /tmp/ovd_sm.mod /tmp/ovd_sm.te`

Package the policy:

^#
#	`semodule_package -o /tmp/ovd_sm.pp -m /tmp/ovd_sm.mod`

Install the policy:
^#
#
semodule -i /tmp/ovd_sm.pp
Remove temporary files:
^#
#
rm -f /tmp/ovd_sm*

Installing MySQL¶

The OSM needs access to a MySQL database. On RHEL and CentOS, the mysql database package is provided by mariadb. We advise you to setup the MySQL server on the same machine as the OSM to minimize network access time.

Install the mysql package:
^#
#
yum install mariadb mariadb-server
Enable and start the service
^#
#
systemctl enable --now mariadb
Define the mysql root password
^#
#
mysqladmin -u root password
Open a MySQL shell:
^#
#
mysql -u root -p
Apply the following instructions within this shell:
1. Create a database
  ^mysql>
  mysql>
  CREATE DATABASE ovd;
2. Create a user
  ^mysql>
  mysql>
  CREATE USER "ovd"@"localhost" IDENTIFIED BY "[ovd_password]";
  Warning
  
  Replace [ovd_password] with a secure password for this user
3. Allow the user to operate on the database
  ^mysql>
  mysql>
  GRANT ALL PRIVILEGES ON ovd.* TO 'ovd'@'localhost';
4. Reload MySQL configuration and exit the session
  ^mysql>
  mysql>
  FLUSH PRIVILEGES; exit;

Package Installation¶

Install the following OVD package:

^#
#	`yum install inuvika-ovd-session-manager`

Launch the configuration tool and set admin login and password
^#
#
ovd-session-manager-config

Enable and restart Apache service

^#
#	`systemctl enable httpd`

^#
#	`systemctl restart httpd`

The OSM is now installed but not ready as the configuration requires the use of the OVD Administration Console.

OVD Administration Console (OAC) Installation and Configuration¶

This OAC provides a web-based service that allows administrators to configure the OVD farm.

Inuvika provides various Linux packages for installing the OAC on a Linux server. Inuvika does not provide a Windows installer version of OAC.

Requirements¶

All of the following Operating Systems are supported:

RHEL 8 64-bit (for OVD version >= 3.3.0)
RHEL 7 / Centos 7 64-bit
Ubuntu 22.04 LTS server (Jammy Jellyfish) 64-bit (for OVD version >= 3.2.1)
Ubuntu 18.04 LTS server (Bionic Beaver) 64-bit
Ubuntu 16.04 LTS server (Xenial Xerus) 64-bit (for OVD version < 3.2)

Minimum hardware configuration:

CPU: 1 Core recommended as a minimum
Memory: 1 GB recommended as a minimum
Storage: 20 GB
Network: 1 GB NIC

Firewall Configuration¶

The OAC requires specific ports to be open in your firewall. Follow the instructions below to configure default firewalls.

If using UFW (default firewall for Ubuntu):
- Open port 443/TCP for inbound traffic:
  ^#
  #
  ufw allow in 443/tcp
  Note
  
  TCP 443 (HTTPS) will only be available if you chose to enable HTTPS access during Administration Console installation.
- Open port 80/TCP for inbound traffic:
  ^#
  #
  ufw allow in 80/tcp
- Open port 443/TCP for outbound traffic:
  ^#
  #
  ufw allow out 443/tcp
If using firewalld (default firewall for RHEL and CentOS):

Warning

The following rules will open ports to communication in both directions. Administrators should review and verify all necessary firewall rules in case you need a more restrictive implementation.
- Open port 443/TCP:
  ^#
  #
  firewall-cmd --permanent --add-port=443/tcp
- Open port 80/TCP:
  ^#
  #
  firewall-cmd --permanent --add-port=80/tcp
- Activate updated firewall rules:
  ^#
  #
  firewall-cmd --reload

Note

For more detailed firewall configuration, please refer to the Firewall and Ports.

Installing on Ubuntu LTS¶

Install the following OVD package:

^#
#	`apt install inuvika-ovd-administration-console`

The installer will require the resource name of the OVD Session Manager (e.g. sm.test.demo)
The installer will prompt whether to enable HTTPS access to the Administration Console if it detects that HTTPS access is not already enabled on the system. If HTTPS access is enabled, after completing the installation, both HTTP and HTTPS access to the Administration Console will be available.

Installing on RHEL and CentOS¶

SELinux Configuration¶

Important

This configuration only applies to SELinux enabled systems. For more information please refer to section Security-Enhanced Linux

Install the policycoreutils-python package:
- For RHEL 8
  ^#
  #
  yum install python3-policycoreutils
- For RHEL 7 and CentOS 7
  ^#
  #
  yum install policycoreutils-python

Change the context for files in /var/spool/ovd/:

^#
#	`semanage fcontext -at httpd_sys_rw_content_t "/var/spool/ovd(/.*)?"`

Add required capabilities for php-fpm:
^#
#
setsebool -P httpd_execmem=1

Allow Apache to connect to the network:

^#
setsebool -P httpd_can_network_connect=1

Package Installation¶

Install the following OVD packages:

^#
#	`yum install inuvika-ovd-administration-console`

Launch the Administration Console configuration tool
^#
#
ovd-administration-console-config
Specify the resource name of the OVD Session Manager (e.g. sm.test.demo)
```
Session Manager address [127.0.0.1]:
```
Select whether to enable HTTPS access to the Administration Console. This message is displayed only if HTTPS access is not already enabled on the system. If HTTPS access is enabled, after completing the configuration, both HTTP and HTTPS access to the Administration Console will be available.
```
Enable HTTPS support [yes] (yes or no):
```

Enable and restart Apache service

^#
#	`systemctl enable httpd`

^#
#	`systemctl restart httpd`

Configuration¶

The first step is to go to http://oac.test.demo/ovd/admin and authenticate yourself with the admin login and password you provided during installation.

The first time you log in, the system detects that it is not configured so you are redirected to a basic setup page which will save a default configuration.

On this page, you setup the MySQL configuration. For example, if you installed MySQL on the same host as described above, you would use the following configuration:

Database Type: MySQL
Database host address: localhost
Database username: ovd
Database password: [ovd_password] (replace with the actual password you set)
Database name: ovd
Table prefix: ovd_

After a successful configuration, Terms and Conditions - Inuvika End-User License Agreement appears. Please read carefully before accepting.

Important

To be able to use OVD, a valid subscription key is required. To install the key, go to System → Subscription Plan and upload and install a subscription key you have received.

OVD Application Server (OAS) Installation and Configuration¶

OVD Enterprise is an application and desktop delivery solution. The OAS in the OVD solution is the server that hosts and serves the end user applications and desktops. It is accessed from an OVD client using an enhanced Remote Display Protocol.

An Application Server can be either a Linux system or a Windows system depending on the type of applications and desktops you want to deliver. Of course, you can mix Linux and Windows machines in an OVD farm to deliver applications seamlessly to the end user from different application servers. The user load will be load-balanced by the OSM among the available application servers to provide a better distribution of server resources.

Requirements¶

Windows¶

All of the following Operating Systems are supported:

Windows Server 2022 with Remote Desktop Services
Windows Server 2019 with Remote Desktop Services
Windows Server 2016 with Remote Desktop Services
Windows Server 2012 R2 with Remote Desktop Services and extended support
Windows 10 Enterprise/Pro (limited to one concurent session)
Windows 11 Enterprise/Pro (limited to one concurent session)

Important

Windows 10/11 support does not include publication of Universal Windows Platform applications. These applications can be installed/removed manually.

Minimum hardware configuration:

CPU: 4 cores recommended as a minimum
Memory: 8 GB recommended as a minimum
Storage: 50+ GB. High speed disks with RAID-1 (15krpm, SSDs or SAN disks).
Network: 1 GB NIC

Important

Inuvika does not recommend you use Windows Server Essentials because the Remote Desktop Session Host role may not be installed. The connection limit is set to only two concurrent users in this case.

Firewall Configuration¶

The OAS requires specific ports to be open in your firewall. Follow the instructions below to open ports on the Windows Firewall using netsh via Command Prompt (run as administrator).

For any other type of firewall, please refer to its official documentation to open the ports described below.

Open port 1112/TCP for inbound traffic:

^>
>	`netsh advfirewall firewall add rule name="OAS http" dir=in action=allow protocol=TCP localport=1112`

Open port 3389/TCP for inbound traffic:

^>
>	`netsh advfirewall firewall add rule name="OAS rdp" dir=in action=allow protocol=TCP localport=3389`

Open port 1111/TCP for outbound traffic:

^>
>	`netsh advfirewall firewall add rule name="OAS rdp" dir=out action=allow protocol=TCP localport=1111`

Open port 445/TCP for outbound traffic:

^>
>	`netsh advfirewall firewall add rule name="OAS cifs" dir=out action=allow protocol=TCP localport=445`

Note

For more detailed firewall configuration, please refer to the Firewall and Ports.

Linux¶

All of the following Operating Systems are supported:

RHEL 8 64-bit (for OVD version >= 3.3.0)
RHEL 7 / Centos 7 64-bit
Ubuntu 22.04 LTS server (Jammy Jellyfish) 64-bit (for OVD version >= 3.2.1)
Ubuntu 18.04 LTS server (Bionic Beaver) 64-bit
Ubuntu 16.04 LTS server (Xenial Xerus) 64-bit (for OVD version < 3.2)

Minimum hardware configuration:

CPU: 4 cores recommended as a minimum
Memory: 8 GB recommended as a minimum
Storage: 50+ GB. High speed disks with RAID-1 (15krpm, SSDs or SAN disks).
Network: 1 GB NIC

Firewall Configuration¶

The OAS requires specific ports to be open in your firewall. Follow the instructions below to configure default firewalls.

If using UFW (default firewall for Ubuntu):
- Open port 1112/TCP for inbound traffic:
  ^#
  #
  ufw allow in 1112/tcp
- Open port 3389/TCP for inbound traffic:
  ^#
  #
  ufw allow in 3389/tcp
- Open port 1111/TCP for outbound traffic:
  ^#
  #
  ufw allow out 1111/tcp
- Open port 445/TCP for outbound traffic:
  ^#
  #
  ufw allow out 445/tcp
If using firewalld (default firewall for RHEL and CentOS):

Warning

The following rules will open ports to communication in both directions. Administrators should review and verify all necessary firewall rules in case you need a more restrictive implementation.
- Open port 1112/TCP:
  ^#
  #
  firewall-cmd --permanent --add-port=1112/tcp
- Open port 3389/TCP:
  ^#
  #
  firewall-cmd --permanent --add-port=3389/tcp
- Open port 1111/TCP
  ^#
  #
  firewall-cmd --permanent --add-port=1111/tcp
- Open port 445/TCP
  ^#
  #
  firewall-cmd --permanent --add-port=445/tcp
- Activate updated firewall rules:
  ^#
  #
  firewall-cmd --reload

Note

For more detailed firewall configuration, please refer to the Firewall and Ports section.

Requirement for the nls_utf8 kernel module¶

The OVD Application Server requires the nls_utf8 kernel module to be installed on the system.

This module is installed by the distribution’s default Linux kernel. However, some cloud-based environments may provide their own custom Linux kernel and these kernels are not guaranteed to include nls_utf8.

Info

This section is not required when using a default Linux kernel. Typically linux-image-generic on Ubuntu.

To verify if the module is installed on the system, run the following command:

^#
#	`modprobe nls_utf8`

If the command returns an error, it means that the module is not installed. In this case, try the following alternatives:

Search if the module is provided by a package that can be installed.

For example, when using Ubuntu's default kernels, the module is provided by the linux-modules-extra or linux-image-extra packages.

Check if the kernel provides such extra packages:
^#
#
apt list "linux-*-$(uname -r)*"
Contact your Cloud provider to request the support of nls_utf8
Switch to a different kernel, such as the distribution's default kernel

Installing on Microsoft Windows¶

The Microsoft Remote Desktop Session Host (RDSH) role must be deployed, configured, and properly licensed. For more information about Microsoft Remote Desktop licensing, please visit the corresponding section of the official Microsoft documentation: Remote Desktop Licensing.

Important

The Windows server may run in a workgroup or be a member of an Active Directory domain but must not run as a domain controller.

Enabling Network Level Authentication (NLA) on Microsoft RDS is optional but strongly recommended.

Before installing the OAS, the Inuvika OVD Session Manager (OSM) must be installed and running. Furthermore if the RDSH role has just been installed, the server must be rebooted before installing the OAS.

Inuvika provides two Windows installers for the OAS:

An .exe setup (recommended)
An .msi package

Installation using the .exe setup is recommended because it ships all dependencies whereas the .msi package is provided for automation purposes (auto-deployement) and requires the installation of external dependencies.

Dependencies for the MSI package

Before installing the MSI package, you will need to install the following dependencies:

Microsoft Visual C++ Redistributable for Visual Studio 2017 - x86
Microsoft Visual C++ Redistributable for Visual Studio 2017 - x64 (When using OVD version 3.1+)
Microsoft Visual C++ Redistributable for Visual Studio 2008 - x86 (When using OVD versions prior to 3.1)

Visit the Microsoft website for the latest versions.

In addition, you may want to visit the following Chocolatey references as Inuvika has validated them for automation: vcredist2017 & vcredist2008.

Download the OAS installer from this location: https://archive.inuvika.com/ovd/{VERSION_CODE}

Important

Replace {VERSION_CODE} with the version code as described in the Version code section.

Copy the OAS installer to the Windows Server machine you wish to install it on and run it.

The only installation data required is resource name of the OVD Session Manager. We use sm.test.demo here as an example, but of course, you have to specify your own domain name.

When the installation is complete, the Windows OVD service should be configured and running. To check the status, go to the Windows Services and search for Inuvika OVD Agent.

Please follow the next section to register the server.

Installing on Ubuntu LTS¶

Keep the default davfs2 configuration:

^#
#	`debconf-set-selections <<< "davfs2 davfs2/suid_file boolean false"`

Install the OAS packages:

^#
#	`apt install inuvika-ovd-slaveserver-role-aps inuvika-ovd-desktop`

The only information required is the resource name where the OSM can be accessed. We use sm.test.demo in this example, but of course, you have to use your own resource name.

Important

If you choose to install OAS on the same machine as OSM, enter 127.0.0.1 for the resource name.

Please follow the next section to register the server.

Installing on RHEL and CentOS¶

SELinux Configuration¶

Important

This configuration only applies to SELinux enabled systems. For more information please refer to section Security-Enhanced Linux

Install policycoreutils-python package
- For RHEL 8
  ^#
  #
  yum install python3-policycoreutils
- For RHEL 7 and CentOS 7
  ^#
  #
  yum install policycoreutils-python

Change context for files in /var/spool/xrdp_printer/

^#
#	`semanage fcontext -at print_spool_t "/var/spool/xrdp_printer(/.*)"`

Create and deploy additional policy rules

Create and open a file /tmp/ovd_aps.te
^#
#
nano /tmp/ovd_aps.te

Insert following content and close the file

module ovd_aps 1.0;

require {
        type smbd_t, cupsd_var_run_t;
        type logwatch_mail_t, logwatch_cache_t;
        type pulseaudio_t, httpd_sys_rw_content_t, system_dbusd_t;
        type initrc_var_run_t, fusefs_t, initrc_state_t;
        class file { append create getattr lock open read write };
        class dir { add_name create read setattr write };
        class sock_file read;
}

allow smbd_t cupsd_var_run_t:sock_file read;
allow logwatch_mail_t logwatch_cache_t:dir { add_name write };
allow logwatch_mail_t logwatch_cache_t:file { append create getattr open };
allow system_dbusd_t httpd_sys_rw_content_t: file { append };
allow pulseaudio_t httpd_sys_rw_content_t: file { read write };
allow pulseaudio_t fusefs_t:dir { add_name create read write };
allow pulseaudio_t initrc_var_run_t:file { read write };
allow pulseaudio_t fusefs_t:file { create getattr lock open read write };
allow pulseaudio_t initrc_state_t:file { getattr read write };

Create a type file for SELinux policy

^#
#	`checkmodule -M -m -o /tmp/ovd_aps.mod /tmp/ovd_aps.te`

Package policy

^#
#	`semodule_package -o /tmp/ovd_aps.pp -m /tmp/ovd_aps.mod`

Install policy
^#
#
semodule -i /tmp/ovd_aps.pp
Remove temporary files
^#
#
rm -f /tmp/ovd_aps*

Package Installation¶

Install the cups package:
^#
#
yum install cups
Configure the cups service:
^#
#
systemctl enable cups

Install the OAS packages:

^#
#	`yum install inuvika-ovd-slaveserver-role-aps inuvika-ovd-desktop`

Enable the XRDP services (For OVD version >= 3.1)

^#
#	`systemctl enable xrdp-log.service xrdp-sesman.service xrdp-printer.service xrdp.service`

Register host/IP address of the OVD Session Manager:
^#
#
ovd-slaveserver-config --sm-address sm.test.demo
Important

If you choose to install OAS on the same machine as OSM, enter 127.0.0.1 for the resource name.
Enable the ovd-slaveserver service
^#
#
systemctl enable ovd-slaveserver
Reboot the server
^#
#
reboot

Registering the Application Server¶

In the Administration Console, go to Servers -> Unregistered Servers. The Application Server should appear in the list. Register your application server and switch it from "maintenance" to "production" mode.

Warning

If your server does not show up in the list, you might have a DNS configuration issue.

If you want to change the name of your server, click on its name and on the next page enter required name in Display name field.

User Isolation (Optional)¶

By giving access to the same Application Server to different user sessions, connected users may find several ways to be aware of each other. Users should not have any rights to view or alter another user’s data but the default Operating System rules can allow users to list existing user accounts and access this data.

Our recommendation, as part of our OVD Best Practices, is to change the Operating System’s default access rules for the home directory base folders.

Windows: C:\Users
^>
>
icacls C:\Users /deny "OVDUsers:(NP)(RD)"
Additionally, you can also apply the following rule which will prevent OVD Users from creating content in C:\.
^>
>
icacls C:\ /deny "OVDUsers:(NP)(W)"
Linux: /home
^#
#
chmod o-rw /home/
- For RHEL 8, you need to install, enable and start lxcfs service
  ^#
  #
  yum install lxcfs
  ^#
  #
  systemctl enable --now lxcfs
Note

This is not compatible with snap applications on Ubuntu 22.04 Jammy Jellyfish. Snap applications are running inside a container and need access to the user's profile.

Deactivation of Windows Security on Windows Server 2019/2022 (Optional)¶

As of Windows Server 2019, the new application Windows Security grants users read-access for critical configurations (firewall, antivirus, device security, etc...). Modifications of these permissions are controlled by the User Account Control (UAC).

Our recommendation, as part of our OVD Best Practices, is to remove user access for Windows Security. Administrators will still be able to access it after this is done.

Remove access for the Users Group:

Set environmental variable

^>
set WS=%SystemRoot%\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe

Remove ownership
^>
>
takeown /f %WS%
Remove access
^>
>
icacls %WS% /deny "Users:(X)"

Let Windows apps access the microphone on Windows Server 2019/2022 (Optional)¶

Windows Server 2019 introduced a user setting to allow applications to use the microphone. As OVD prevents the use of the Settings pannel, they can't configure it. To globally enforce usage of the microphone, configure the following Group Policy settings:

Navigate

Computer configuration
  → Administrative Templates
    → Windows Components
      → App Privacy
        → Let Windows apps access the microphone

Set state to Enabled
Set Default for all apps to Force Allow

OVD File Server (OFS) Installation and Configuration¶

Within OVD, the OFS provides a centralized file management system that enables users to access the same files independently of which application server is used to provide the application. OFS provides a network file system that the OAS Servers are able to access when users are running sessions. It is used to provide access to both user profiles, and data folders and files.

The OFS is available for Linux based servers only. In a small OVD server farm, the OFS may reside on the same physical machine as the OAS. In larger installations, the OFS would typically be installed on dedicated hardware.

Requirements¶

All of the following Operating Systems are supported:

RHEL 8 64-bit (for OVD version >= 3.3.0)
RHEL 7 / Centos 7 64-bit
Ubuntu 22.04 LTS server (Jammy Jellyfish) 64-bit (for OVD version >= 3.2.1)
Ubuntu 18.04 LTS server (Bionic Beaver) 64-bit
Ubuntu 16.04 LTS server (Xenial Xerus) 64-bit (for OVD version < 3.2)

Minimum hardware configuration:

CPU: 2 cores (4 cores recommended)
Memory: 2 GB (4 GB recommended)
Storage: 100+ GB. High speed disks with RAID-1 (15krpm, SSDs or SAN disks).
Network: 1 GB NIC

Firewall Configuration¶

The OFS requires specific ports to be open in your firewall. Follow the instructions below to configure default firewalls.

If using UFW (default firewall for Ubuntu):
- Open port 1112/TCP for inbound traffic:
  ^#
  #
  ufw allow in 1112/tcp
- Open port 1113/TCP for inbound traffic:
  ^#
  #
  ufw allow in 1113/tcp
- Open port 445/TCP for inbound traffic:
  ^#
  #
  ufw allow in 445/tcp
- Open port 1111/TCP for outbound traffic:
  ^#
  #
  ufw allow out 1111/tcp
If using firewalld (default firewall for RHEL and CentOS):

Warning

The following rules will open ports to communication in both directions. Administrators should review and verify all necessary firewall rules in case you need a more restrictive implementation.
- Open port 1112/TCP:
  ^#
  #
  firewall-cmd --permanent --add-port=1112/tcp
- Open port 1113/TCP:
  ^#
  #
  firewall-cmd --permanent --add-port=1113/tcp
- Open port 445/TCP
  ^#
  #
  firewall-cmd --permanent --add-port=445/tcp
- Open port 1111/TCP
  ^#
  #
  firewall-cmd --permanent --add-port=1111/tcp
- Activate updated firewall rules:
  ^#
  #
  firewall-cmd --reload

Note

For more detailed firewall configuration, please refer to the Firewall and Ports.

Installing on Ubuntu LTS¶

Install the OFS package:

^#
#	`apt install inuvika-ovd-slaveserver-role-fs`

The only information required is the resource name where the OSM can be accessed. We use sm.test.demo here for the example, but of course, you have to set your own domain name.

Important

If you choose to install OFS on the same machine as OSM, enter 127.0.0.1 for the resource name.

Please follow the next section to register the server.

Installing on RHEL and CentOS¶

SELinux Configuration¶

Important

This configuration only applies to SELinux enabled systems. For more information please refer to section Security-Enhanced Linux

Install the policycoreutils-python package:
- For RHEL 8
  ^#
  #
  yum install python3-policycoreutils
- For RHEL 7 and CentOS 7
  ^#
  #
  yum install policycoreutils-python
Allow Apache to access ntfs/fusefs volumes:
^#
#
setsebool -P httpd_use_fusefs=1
Allow Samba to export ntfs/fusefs volumes:
^#
#
setsebool -P samba_share_fusefs=1

Allow Apache to listen on port 1113:

^#
#	`semanage port -at http_port_t -p tcp 1113`

Change the context for files in var/lib/ovd/slaveserver/fileserver-data/:

^#
#	`semanage fcontext -at httpd_user_rw_content_t "/var/lib/ovd/slaveserver/fileserver-data(/.*)?"`

Create and deploy additional policy rules:

Create and open the file /tmp/ovd_fs.te:
^#
#
nano /tmp/ovd_fs.te

Insert the following content and close the file:

For RHEL 8

module ovd_fs 1.1;

require {
        type init_t;
        type logwatch_mail_t;
        type logwatch_cache_t;
        type samba_unconfined_net_t;
        type winbind_rpcd_t, fusefs_t;
        class capability { dac_override dac_read_search };
        class dbus send_msg;
        class dir { add_name ioctl read write };
        class file { append create getattr open read write };
}

allow logwatch_mail_t logwatch_cache_t:dir { add_name write };
allow logwatch_mail_t logwatch_cache_t:file { append create getattr open };
allow winbind_rpcd_t fusefs_t:file { read write };
allow winbind_rpcd_t fusefs_t:dir { ioctl read };
allow winbind_rpcd_t self:capability { dac_override dac_read_search };
allow init_t samba_unconfined_net_t:dbus send_msg;

For RHEL 7 and CentOS 7

module ovd_fs 1.0;

require {
        type logwatch_mail_t;
        type logwatch_cache_t;
        class dir { add_name write };
        class file { append create getattr open };
}

allow logwatch_mail_t logwatch_cache_t:dir { add_name write };
allow logwatch_mail_t logwatch_cache_t:file { append create getattr open };

Create a type file for the SELinux policy:

^#
#	`checkmodule -M -m -o /tmp/ovd_fs.mod /tmp/ovd_fs.te`

Package the policy:

^#
#	`semodule_package -o /tmp/ovd_fs.pp -m /tmp/ovd_fs.mod`

Install the policy:
^#
#
semodule -i /tmp/ovd_fs.pp
Remove temporary files:
^#
#
rm -f /tmp/ovd_fs*

Package Installation¶

Install the samba package:
^#
#
yum install samba
Enable samba service
^#
#
systemctl enable smb

Install the OFS package:

^#
#	`yum install inuvika-ovd-slaveserver-role-fs`

Register host/IP address of the OVD Session Manager:
^#
#
ovd-slaveserver-config --sm-address sm.test.demo
Important

If you choose to install OFS on the same machine as OSM, enter 127.0.0.1 for the resource name.
Enable the ovd-slaveserver service:
^#
#
systemctl enable ovd-slaveserver
Reboot the server:
^#
#
reboot

Registering the File Server¶

In the Administration Console, go to Servers -> Unregistered Servers. The File Server should appear in the list. Register your application server and switch it from "maintenance" to "production" mode.

Warning

If your server does not show up in the list, you might have a DNS configuration issue.

If you want to change the name of your server, click on its name and on the next page enter required name in Display name field.

OVD Web Access (OWA) Installation and Configuration¶

The OWA server is responsible for managing browser-based client sessions. This requires an HTML5 compliant browser on the client machine but no software needs to be installed on the client machine. The OVD session can be tunneled over an SSL session for secure data transmission.

For small installations, it is possible to install OWA on the same machine as the OSM. For larger installations it is recommended to install one or more OWA roles on separate servers and to load-balance the servers for optimal performance.

In this example, we are using web.test.demo as the OWA resource name.

Note

In addition, the OWA provides capabilities through a JavaScript API to integrate OVD with other web based applications. For further details on the API please refer to the Javascript Framework Guide available at https://docs.inuvika.com.

Requirements¶

All of the following Operating Systems are supported:

RHEL 8 64-bit (for OVD version >= 3.3.0)
RHEL 7 / Centos 7 64-bit
Ubuntu 22.04 LTS server (Jammy Jellyfish) 64-bit (for OVD version >= 3.2.1)
Ubuntu 18.04 LTS server (Bionic Beaver) 64-bit
Ubuntu 16.04 LTS server (Xenial Xerus) 64-bit (for OVD version < 3.2)

Minimum hardware configuration:

CPU: 2 cores recommended as a minimum
Memory: 4 GB recommended as a minimum
Storage: 20 GB
Network: 1 GB NIC (2 for failover)

Firewall Configuration¶

The OWA requires specific ports to be open in your firewall. Follow the instructions below to configure default firewalls.

If using UFW (default firewall for Ubuntu):
- Open port 80/TCP for inbound traffic:
  ^#
  #
  ufw allow in 80/tcp
- Open port 443/TCP for inbound traffic:
  ^#
  #
  ufw allow in 443/tcp
  Note
  
  TCP 443 (HTTPS) will only be available if you chose to enable HTTPS access during OVD Web Access installation.
- Open port 1112/TCP for inbound traffic (for OVD version >= 3.3.0):
  ^#
  #
  ufw allow in 1112/tcp
- Open port 443/TCP for outbound traffic:
  ^#
  #
  ufw allow out 443/tcp
- Open port 1111/TCP for outbound traffic (for OVD version >= 3.3.0):
  ^#
  #
  ufw allow out 1111/tcp
- Open port 1113/TCP for outbound traffic:
  ^#
  #
  ufw allow out 1113/tcp
- Open port 3389/TCP for outbound traffic:
  ^#
  #
  ufw allow out 3389/tcp
If using firewalld (default firewall for RHEL and CentOS):

Warning

The following rules will open ports to communication in both directions. Administrators should review and verify all necessary firewall rules in case you need a more restrictive implementation.
- Open port 80/TCP:
  ^#
  #
  firewall-cmd --permanent --add-port=80/tcp
- Open port 443/TCP:
  ^#
  #
  firewall-cmd --permanent --add-port=443/tcp
- Open port 1111/TCP (for OVD version >= 3.3.0)
  ^#
  #
  firewall-cmd --permanent --add-port=1111/tcp
- Open port 1112/TCP (for OVD version >= 3.3.0)
  ^#
  #
  firewall-cmd --permanent --add-port=1112/tcp
- Open port 1113/TCP
  ^#
  #
  firewall-cmd --permanent --add-port=1113/tcp
- Open port 3389/TCP
  ^#
  #
  firewall-cmd --permanent --add-port=3389/tcp
- Activate updated firewall rules:
  ^#
  #
  firewall-cmd --reload

Note

For more detailed firewall configuration, please refer to the Firewall and Ports.

Installing on Ubuntu LTS¶

OVD version >= 3.3¶

Install the OWA package:

^#
#	`apt install inuvika-ovd-slaveserver-role-webaccess`

The installer will require the resource name of the OVD Session Manager (e.g. sm.test.demo)

OVD version < 3.3¶

Install the OWA package:
^#
#
apt install inuvika-ovd-web-access
The installer will prompt whether to enable HTTPS access to the Web Access if it detects that HTTPS access is not already enabled on the system. If HTTPS access is enabled, after completing the installation, both HTTP and HTTPS access to the Administration Console will be available.

To access the OWA, navigate to http://web.test.demo/ovd/ using a web browser.

Installing on RHEL and CentOS¶

SELinux Configuration¶

Important

This configuration only applies to SELinux enabled systems. For more information please refer to section Security-Enhanced Linux

Install the policycoreutils-python package:
- For RHEL 8
  ^#
  #
  yum install python3-policycoreutils
- For RHEL 7 and CentOS 7
  ^#
  #
  yum install policycoreutils-python
Add required capabilities for php-fpm:
^#
#
setsebool -P httpd_execmem=1

Allow Apache to connect to the network:

^#
setsebool -P httpd_can_network_connect=1

SELinux Configuration 3.3¶

Change the context for files in /var/spool/ovd/:

^#
#	`semanage fcontext -at httpd_sys_rw_content_t "/var/spool/ovd(/.*)?"`

Create and deploy additional policy rules:

Create and open the file /tmp/ovd_webaccess.te:
^#
#
nano /tmp/ovd_webaccess.te

Insert the following content and close the file:

module ovd_webaccess 1.0;

require {
        type tomcat_t;
        type var_spool_t;
        type httpd_sys_rw_content_t;
        class dir { add_name getattr remove_name search write };
        class file { create getattr open read unlink write };
}

#============= tomcat_t ==============

allow tomcat_t var_spool_t:dir { add_name getattr remove_name search write };
allow tomcat_t var_spool_t:file { create getattr open read write unlink };

allow tomcat_t httpd_sys_rw_content_t:dir { add_name getattr remove_name search write };
allow tomcat_t httpd_sys_rw_content_t:file { create getattr open read write unlink };

1. Create a type file for the SELinux policy:

^#
#	`checkmodule -M -m -o /tmp/ovd_webaccess.mod /tmp/ovd_webaccess.te`

Package the policy:

^#
#	`semodule_package -o /tmp/ovd_webaccess.pp -m /tmp/ovd_webaccess.mod`

Install the policy:
^#
#
semodule -i /tmp/ovd_webaccess.pp
Remove temporary files:
^#
#
rm -f /tmp/ovd_webaccess*

Package Installation¶

OVD version >= 3.3¶

Install the OWA package:

^#
#	`yum install inuvika-ovd-slaveserver-role-webaccess`

Register host/IP address of the OVD Session Manager:
^#
#
ovd-slaveserver-config --sm-address sm.test.demo
Important

If you choose to install OFS on the same machine as OSM, enter 127.0.0.1 for the resource name.
Configure the ovd-slaveserver service:
^#
#
systemctl enable ovd-slaveserver
Start the ovd-slaveserver service:
^#
#
systemctl restart ovd-slaveserver

OVD version < 3.3¶

Install the OWA package:
- For RHEL 7 and CentOS 7
  ^#
  #
  yum install inuvika-ovd-web-access
Launch the configuration tool and set the IP for the OSM:
^#
#
ovd-web-access-config
```
Session Manager address [127.0.0.1]:
```
Select whether to enable HTTPS access to the OWA. This message is displayed only if HTTPS access is not already enabled on the system. If HTTPS access is enabled, after completing the installation, both HTTP and HTTPS access to the OWA will be available.
```
Enable HTTPS support [yes] (yes or no):
```

Package configuration¶

When using RHEL 7 or CentOS 7: Enable the Tomcat service

^#
#	`systemctl enable --now tomcat`

^#
#	`systemctl restart tomcat`

When using RHEL 8, enable and start the Guacamole Bridge service
^#
#
systemctl enable --now guacamole-bridge
Enable guacd service (When using OVD version prior to version 3.1)
^#
#
systemctl enable --now guacd
Enable guacamole service (When using OVD version 3.1+)
^#
#
systemctl enable --now guacamole

Enable and restart Apache service

^#
#	`systemctl enable httpd`

^#
#	`systemctl restart httpd`

To access the OWA, navigate to http://web.test.demo/ovd/ using a web browser.

Finalize the installation¶

Once all required OVD components have been successfully installed, there are a few additional items to configure / verify before the service is ready to use.

Install a proper SSL/TLS Certificates on the OVD farms entry points¶

The OVD farm requires the use of an X.509 certificate for secure communication.

Self-signed certificates are not for production use. Self-signed certificates are generated during the installation, but this is only designed for evaluation purposes.

Without a signed certificate installed, all users will receive a security warning in their browsers preventing them from accessing the service.

Warning

Before switching your OVD service to production or even deploying to a significant number of users, you must replace the self-signed certificate with a signed certificate obtained from a Certificate issuer.

Certificates must be installed on each node that hosts an HTTPs access:

OSM / OAC / OUC
OWA
ESG

Design a validation plan¶

Finally, Inuvika recommends defining some form of acceptance criteria and a basic validation plan that will be used as a reference when updating and complexifing the OVD farm.

Keep notes about information on servers (VMs, IP addresses, roles) and any custom / non-standard configurations that you may have performed.