NoMachine Enterprise Desktop - Installation and ......Installation and Configuration Guide NoMachine Enterprise Desktop - Installation and Configuration Guide ... Using an Alternative

NoMachine Enterprise Desktop -Installation and Configuration

Guide

NoMachine Enterprise Desktop - Installationand Configuration Guide

Prepared by:Silvia Regis

N°: D-010_006-NMC-NTD

Approved by: Sarah Dryell

Last modified:2020-12-09

Amended:A

Page 1 of 61

Table of Contents

Introduction1. NoMachine Enterprise Desktop - Installation and Configuration Guide

1.1. About This Guide

How to set-up the Enterprise Desktop2. Install the Enterprise Desktop

2.1. Prerequisites

2.2. Windows Installations

2.3. Mac Installations

2.4. Linux Installations

2.5. RPM Packages

2.6. DEB Packages

2.7. TAR.GZ Packages

2.8. Installing Without Starting NoMachine Services Automatically

2.9. Activating the License (for Customers)

Connect to the Enterprise Desktop3. Initiating a NoMachine Connection (end-user's side)

3.1. Connecting by Browsers Via Enterprise Desktop Web Tools

3.2. Connecting by NoMachine Client

3.3. Preventing Users from Storing Credentials

Configurations and Optimizations4. Configuring NoMachine Enterprise Desktop

4.1. Configuring Web Sessions

4.2. Managing Enterprise Desktop Web Services

4.3. Using an Alternative Apache Web Server

4.4. Web Optimizations: Using WebRTC (Real-Time Web Communication)

5. Compression Techniques and Optimizations



N°: D-010_006-NMC-NTD



Amended:A

Page 2 of 61

5.1. Video Streaming Encoding in Web Sessions5.2. Video Streaming Encoding in Client Sessions

Enterprise Desktop's Administration6. Enterprise Desktop's Configuration

6.1. Configuration Files

7. Services Management

7.1. Accepting Connections

7.2. Stopping and Starting Server (nxserver) and Services

7.3. Stopping and Starting nxd, nxhtd and nxsshd

7.4. Local and Network Ports

7.5. Hiding the NoMachine Monitor and Notification Messages

7.6. Hiding the Whiteboard and Chat Tools

7.7. Handling with Discovering of this Server on LAN

8. Notifications to Users

8.1. Whiteboard and Custom Notifications

9. Supported Connection Protocols and Authentication Methods

9.1. Defining Protocol in Server Configuration

9.2. Locking Down the Accepted Authentication Methods

9.3. Changing Port for the NX Protocol

9.4. Changing Port for the SSH Protocol

9.5. Connecting to a Server Behind a NAT Router (UPnP Port Mapping)

9.6. Using NoMachine DBs for Managing User Access

10. Users Management

10.1. Managing Users

10.2. Connecting with a Privileged System Account

10.3. Managing Desktop Owner's Authorization (Trusted User)

10.4. Guest Users

11. Sessions' Management

11.1. Monitoring Sessions

11.2. Managing Sessions

11.3. Executing Custom Scripts on Server/Node Events

12. Connections to the Remote Desktop and Collaborative Sessions



N°: D-010_006-NMC-NTD



Amended:A

Page 3 of 61

12.1. Blanking the Remote Screen and Auto Lock Upon Disconnecting

12.2. Configuring Interactive or View-only Mode

12.3. Forcing a System Logout Upon Session Disconnection

13. Device Sharing, Copy&Paste and File Transfer

13.1. Connecting Devices

13.2. Disks

13.3. Printers

13.4. USB Devices

13.5. Network Ports

13.6. Smartcard Readers

13.7. Copy and Paste Operations

13.8. Transferring Files

14. Multimedia and Session Recording

14.1. Supporting Audio and Microphone

14.2. Recording your Screen

14.3. Automatic Screen Recording

15. Automatic Updates

16. Logging Facilities

Federating the Enterprise Desktop Under a Cloud Server17. Setting-up a Centralized Access to Multiple Enterprise Desktop Servers

Introduction

1. NoMachine Enterprise Desktop Installation and ConfigurationGuide

Welcome to the NoMachine Enterprise Desktop - Installation and Configuration Guide v. 7.

What is NoMachine Enterprise Desktop for?



N°: D-010_006-NMC-NTD



Amended:A

Page 4 of 61

NoMachine Enterprise Desktop is a standalone server that provides unlimited concurrent accesses tothe physical desktop of its host. Designed for work sharing sessions and real-time collaboration,remote teaching or assistance, it can be configured for full interaction with the desktop or view-onlymode.

Available for Linux, Mac and Windows, the Enterprise Desktop accepts connections via a browser(thanks to its built-in web server) or via NoMachine client.

Additionally, it can also be federated under a Cloud Server. This solution is suitable to centralize theaccess to multiple NoMachine servers distributed across the world or to provide for exampleemployees access to the corporate network with the Cloud Server in a DMZ or behind a NAT.

A Graphical InterfaceThe NoMachine Enterprise Desktop server package includes a User Interface (UI) for administeringthe server and its services (Server settings).

Most common operations detailed in this guide can be performed by the NoMachine UI and theServer settings panel running on the local installation of the server.

More details about the Server UI can be found in the dedicated guide available in the Documentssection at: https://www.nomachine.com/all-documents

The Enterprise Desktop comes also with a client UI for running sessions and connecting to otherremote desktops.

The server is fully operative once installedInstallation is conceived to provide a fully operative NoMachine server with a default configurationsuitable for the greatest part of environments. All the necessary services are automatically started.

A standalone serverNoMachine Enterprise Desktop, available for Linux, Windows and Mac, supports multiple concurrentconnections to the physical desktop (sharing of the desktop) of its host machine. Number of users isnot limited. NoMachine Enterprise Desktop is a single server (standalone server), to all effects.

A federated serverNoMachine Enterprise Desktop can be also federated under a Cloud Server v. 7 which provides asingle point of access to multiple server subsystems. In this case, it's possible configuring theEnterprise Desktop to not accept direct connections. For more specific instructions about federatingthe Enterprise Desktop and creating a multi-server setup, refer to the Cloud Server administrative'sguide available in the 'Installation' section at https://www.nomachine.com/all-documents.

1.1. About This Guide



N°: D-010_006-NMC-NTD



Amended:A

Page 5 of 61

https://88.207.207.59:11500/all-documents


Document Conventions and Important NoticesThe following conventions are used in this guide:

BaseDirectory is the base directory where the NoMachine binaries and libraries are installed. By default, BaseDirectory is: /usr on Linux, C:\Program Files\ on Windows and /Applications on Mac.

InstallationDirectory is: BaseDirectory/NX on Linux, BaseDirectory/NoMachine on Windows andBaseDirectory/NoMachine.app on Mac.

The command line interfaceNoMachine server and node programs have a command line interface to execute operations.

You need to be a privileged system user to access all these functionalities. These commands can berun from an xterm or similar on Linux and Mac using the sudo utility or as root. On Windows they canbe run from a command prompt (cmd.exe) executed as administrator.

On Linux and Mac, invoke the 'nxserver' and 'nxnode' programs from /etc/NX, for example:

$ /etc/NX/nxserver --help$ /etc/NX/nxnode --help

on Windows:

move to the 'NoMachine' installation directory, by default it's under C:\'Program files (x86)' on 64bitsystems and 'C:\Program file' on 32bits machines and go to the 'bin' subdirectory.

E.g.:

> cd C:\PROGRA~1C:\Program Files (x86)> cd NoMachine\binC:\Program Files (x86)\NoMachine\bin>nxserver --helpC:\Program Files (x86)\NoMachine\bin>nxnode --help

The 'nxserver --help' and 'nxnode --help' display the list of all the available commands and optionsand their description.

Online ResourcesVisit the NoMachine Support Area to access a variety of online resources included the NoMachineForums, tutorials and FAQs: https://www.nomachine.com/support

Find a list of all documents and tutorials for v. 7: https://www.nomachine.com/all-documents

Use the Knowledge Base search engine to access articles, FAQs and self-help information:https://www.nomachine.com/knowledge-base

Leave Feedback About This GuideOur goal is to provide comprehensive and clear documentation for all NoMachine products. If youwould like to send us your comments and suggestions, you can use the contact tool available at



N°: D-010_006-NMC-NTD



Amended:A

Page 6 of 61

https://88.207.207.59:11500/support


https://88.207.207.59:11500/knowledge-base

https://www.nomachine.com/contact-request, selecting Web Quality Feedback as your option.

2. Install the Enterprise Desktop

In order to facilitate users to have a working NoMachine setup immediately after the installation andwithout the need for further operations, the installation procedure takes care of starting automaticallyall the required services, included the built-in Apache-based web server nxhtd. The nxhtd service aswell as the Apache web server, to work in all possible environments is configured to listen on allinterfaces (0.0.0.0). In some corporate network configurations this can lead to open ports onunintended interfaces, which can have an impact on the security level established by company strictpolicies. In this case administrators should install the NoMachine server package with the appropriateoption to not start services automatically, see the related paragraph 2.8. in this guide. Then theyneed to change the configuration of nxhtd as explained here:https://www.nomachine.com/AR01R01070.

2.1. Install the Enterprise Desktop

Supported Operating SystemsWindows 32-bit/64-bit XP/Vista/7/8/8.1/10

Windows Server 2008/2012/2016/2019

Mac OS X Intel 64-bit 10.7 to 10.15

Linux 32-bit and 64-bit

RHEL 4 to RHEL 8SLED 10 to SLED 15SLES 10 to SLES 15openSUSE 10.x to openSUSE 15.x Mandriva 2009 to Mandriva 2011Fedora 10 to Fedora 31Debian 4.0 to Debian 10Ubuntu 8.04 to Ubuntu 20.04

Raspberry Pi 2/3/4 ARMv6/ARMv7/ARMv8

Hardware requirementsIntel Core2 Duo or AMD Athlon Dual-Core or equivalent1 GB RAMNetwork connection (either a LAN, or Internet link: broadband, cable, DSL, etc...)Size required on disk:Windows 210 MB Linux 195 MB Mac 180 MBARMv6 175 MB



N°: D-010_006-NMC-NTD



Amended:A

Page 7 of 61

https://88.207.207.59:11500/contact-request

https://88.207.207.59:11500/AR01R01070

ARMv7 165 MBARMv8 185 MB

Software requirementsA desktop environment must already be installed. This applies also to headless Linux machines. Connections by the web and by NoMachine clients are supported.

Compatibility with older versionsEven if it's advisable to upgrade client installations to the same version 7 of the Enterprise Desktop,compatibility with clients v. 6 and 5 is preserved.Note also that when the Enterprise Desktop works as a federated server, NoMachine Cloud Server v.7 requires a client v. 7 or 6.

2.2. Windows Installations

INSTALL Download the package for Windows from the NoMachine web site and install it by double-clicking onthe icon of the executable: a setup wizard will take you through the installation. Accept to reboot themachine, this is mandatory for completing the installation.

If you own a customer license we recommend to download the package from your Customer Area:https://www.nomachine.com/support#login.

TIP

To install the package in silent or very silent mode from a CMD console, run respectively:

>nomachine-packageName_packageVersion.exe /silent

or:

>nomachine-packageName_packageVersion.exe /verysilent

Then reboot the machine:

>SHUTDOWN -r -t 10 -c " your comments here"

To specify a non-default installation directory, use:

>nomachine-packageName_packageVersion.exe /SILENT /DIR="X:Target_directory"

or:

>nomachine-packageName_packageVersion.exe /VERYSILENT /DIR="X:Target_directory"

Note for Windows XP: the NoMachine server will not start until the machine is rebooted.



N°: D-010_006-NMC-NTD



Amended:A

Page 8 of 61

https://88.207.207.59:11500/support#login

UPDATEThe update procedure for server and node installations requires to stop all NoMachine services inorder to correctly replace libraries and binaries. This implies that the Enterprise Desktop is notaccessible to users during the update procedure. Current sessions will be terminated, users will beable to connect again later.

There are two ways to update your current installation:I Automatic updates

You can update your installation from our repositories. Just run the NoMachine UI from yourPrograms Menu and open the Server -> Settings -> Updates panel and click on the 'Check now'button.

NoMachine has the automatic check for updates enabled: it will check by default our repositoriesevery two days to verify if updates are available. In this case, the server will prompt a dialoginforming that a new version is available but it will never automatically update the currentinstallation.

Checking for updates can be disabled from that dialog by selecting the 'Don't ask again for thisversion' option or in the Updates panel by unchecking the 'Automatically check for updates'option.

You can find detailed instructions for configuring the Automatic Updates in a separate documentavailable at: https://www.nomachine.com/all-documents .

II Update with NoMachine packages

Alternatively, download the latest available package from the NoMachine web site and click onthe executable file to launch Setup. As for the installation, Setup will guide you through all stepsnecessary for updating your installation.

If you own a customer license we recommend to download the package from your CustomerArea: https://www.nomachine.com/support#login.

UNINSTALLYou can uninstall NoMachine Enterprise Desktop from the Windows Control Panel and the 'Add orRemove Programs' in Windows XP or 'Program and Features' in Windows Vista, 7, 8 or 10. Find theNoMachine program in the list of installed programs and choose to uninstall it.On Windows 8 or later you can use the Search box from the Charms bar on the right side of thescreen: type Control Panel to open it. Then access the Programs - 'Uninstall a program' panel.On Windows 7, Vista and XP, click on the Start button and click to open the Control panel from theStart menu. Then access panel 'Programs and Features' or 'Add or Remove Programs', depending onyour Windows version.

Reboot is requested to complete the uninstalling process.

TIP

To uninstall from a CMD console, move to C:/ProgramData/NoMachine/var/uninstall/ (if you areon Vista/7/8/10) or to C:/Documents and Settings/All Users/NoMachine/var/uninstall/ (if you are on



N°: D-010_006-NMC-NTD



Amended:A

Page 9 of 61



XP). Then run:

> unins000.exe /silent

or:

> unins000.exe /verysilent

Uninstalling is completed when your command prompt is back. Then, your computer will restartautomatically.

2.3. Mac Installations

INSTALL Download the DMG package from the NoMachine web site. Double-click on the disk Image to open itand see the package icon. Then double-click on the package icon to install the program: the installerwill take you through the installation.


TIP

To install from the command line, run:

$ NXMOUNTDIR=$(echo `hdiutil mount nomachine-enterprise-desktop_version.dmg | tail -1 | awk '{$1=$2="";print $0}'` | xargs -0 echo)

$ sudo installer -pkg "${NXMOUNTDIR}/NoMachine.pkg" -target /

UPDATEThe update procedure for server and node installations requires to stop all NoMachine services inorder to correctly replace libraries and binaries. This implies that the Enterprise Desktop is notaccessible to users during the update procedure. Current sessions will be terminated, users will beable to connect again later.

There are two ways to update your current installation:

I Automatic updates


NoMachine has the automatic check for updates enabled: it will check by default our repositories



N°: D-010_006-NMC-NTD



Amended:A

Page 10 of 61


every two days to verify if updates are available. In this case, the server will prompt a dialoginforming that a new version is available but it will never automatically update the currentinstallation.






UNINSTALLTo uninstall the Enterprise Desktop drag and drop NoMachine from Applications to trash or select'Move to trash' from the mouse button menu. This will uninstall all the NoMachine software.

TIP

To uninstall from command line , it's enough you remove the NoMachine application directory:

$ sudo rm -rf /Applications/NoMachine.app

2.4. Linux Installations

Installing for the first timeYou can install, update and uninstall using the graphical package manager of your Linux distributionor from command line by running commands from an xterm or similar with the sudo utility, or as rootuser if you don't have sudo installed. Instructions below refer to installation by command line.


Successive updates The update procedure for server and node installations requires to stop all NoMachine services inorder to correctly replace libraries and binaries. This implies that the Enterprise Desktop is notaccessible to users during the update procedure. Current sessions will be terminated, users will beable to connect again later.

There are two ways to update your current installation:

I Automatic updates



N°: D-010_006-NMC-NTD



Amended:A

Page 11 of 61





NoMachine has the automatic check for updates enabled: it will check by default our repositoriesevery two days to verify if updates are available. In this case, the server will prompt a dialoginforming that a new version is available but it will never automatically update the currentinstallation.






2.5. RPM Packages

If you want to install to default location , namely /usr/NX/:

INSTALL

# rpm -ivh <pkgName>_<pkgVersion>_<arch>.rpm

To find out which NoMachine package you have installed (you will get the full name of the package), run:

# rpm -qa | grep nomachine

UPDATE

# rpm -Uvh <pkgName>_<pkgVersion>_<arch>.rpm

UNINSTALL

# rpm -e nomachine-enterprise-desktop



N°: D-010_006-NMC-NTD



Amended:A

Page 12 of 61



TIP

For non-default locations, for example /opt/NX:

INSTALL

# rpm -ivh <pkgName>_<pkgVersion>_<arch>.rpm --prefix /opt

UPDATE

# rpm -Uvh <pkgName>_<pkgVersion>_<arch>.rpm --prefix /opt

UNINSTALL

# rpm -e nomachine-enterprise-desktop

2.6. DEB Packages

If you want to install to default location , namely /usr/NX/:

INSTALL

$ sudo dpkg -i <pkgName>_<pkgVersion>_<arch>.deb

To find out which NoMachine package you have installed (you will get the full name of the package), run:

$ dpkg -l | grep nomachine

UPDATE

$ sudo dpkg -i <pkgName>_<pkgVersion>_<arch>.deb

UNINSTALL

$ sudo dpkg -r nomachine-enterprise-desktop

TIP



N°: D-010_006-NMC-NTD



Amended:A

Page 13 of 61


INSTALL

$ sudo NX_INSTALL_PREFIX=/opt dpkg -i <pkgName>_<pkgVersion>_<arch>.deb

UPDATE

$ sudo NX_INSTALL_PREFIX=/opt dpkg -i <pkgName>_<pkgVersion>_<arch>.deb

UNINSTALL

$ sudo dpkg -r nomachine-enterprise-desktop

2.7. TAR.GZ Packages

If you want to install to default location , namely /usr/NX/, ensure that package is placed there.

INSTALL

$ cd /usr

$ sudo tar xvzf <pkgName>_<pkgVersion>_<arch>.tar.gz

$ sudo /usr/NX/nxserver --install

UPDATE

$ cd /usr

$ sudo tar xvzf <pkgName>_<pkgVersion>_<arch>.tar.gz

$ sudo /usr/NX/nxserver --update

UNINSTALL

$ sudo /usr/NX/scripts/setup/nxserver --uninstall

$ sudo rm -rf /usr/NX

TIP



N°: D-010_006-NMC-NTD



Amended:A

Page 14 of 61


INSTALL

$ sudo NX_INSTALL_PREFIX=/opt /usr/NX/nxserver --install

UPDATE

$ sudo NX_INSTALL_PREFIX=/opt /usr/NX/nxserver --update

UNINSTALL

$ sudo /opt/NX/scripts/setup/nxserver --uninstall$ sudo rm -rf /opt/NX

2.8. Installing Without Starting NoMachine Services Automatically

The install procedure automatically starts all the required services without the need of further manualoperations. Only in case of Windows it's necessary to reboot the machine to complete the installationand ensure that all the required services are up and running.

It may be necessary in some cases, for example because of Company policies, that NoMachineservices are not started automatically during the installation.

TIP

If the configuration of your network requires to restrict or specify on which ports the NoMachinebuilt-in Apache web server should listen, configure nxhtd as explained here:https://www.nomachine.com/AR01R01070 before starting NoMachine services manually!

Disabling the automatic start of services can be done manually by means of the following commands.

Linux Export the NX_NOSTART=1 variable while installing the package from a terminal with the usualcommands:

sudo NX_NOSTART=1 dpkg -i <nomachine DEB package>

sudo NX_NOSTART=1 rpm -ivh <nomachine RPM package>

sudo NX_NOSTART=1 tar xvzf <nomachine TAR GZ package>sudo NX_NOSTART=1 /usr/NX/nxserver --install

To start NoMachine services:

sudo /etc/NX/nxserver --startup



N°: D-010_006-NMC-NTD



Amended:A

Page 15 of 61

https://88.207.207.59:11500/AR01R01070

Windows Install the package in silent or very silent mode from a CMD console launched as administrator andspecify the /nostart=1 switch:

nomachine-packageName_packageVersion.exe /verysilent /nostart=1

nomachine-packageName_packageVersion.exe /silent /nostart=1

Rebooting Windows is necessary to complete the installation.

TIP

Rebooting will start the NoMachine services.

macOSCreate the /tmp/NX_NOSTART file before installing the NoMachine DMG package (double click on it).To install from command line:

touch /tmp/NX_NOSTART hdiutil mount nomachine-packageName_packageVersion.dmgcd /Volumes/nomachine-packageName/sudo installer -pkg NoMachine.pkg -target /

To start NoMachine services:


2.9. Activating the License (for Customers)

Customers' packagesinclude a temporary (30 days) node.lic and server.lic files for evaluation.Such license files have to be replaced with the customer's license files acquired from NoMachine. Thiscan be done via the NoMachine UI in Settings -> Server -> Updates panel: click on 'Serversubscription' and 'Node subscription' to read the current license file. Click on 'Replace' button toactivate a new license file. You will be requeste to log-in with a privileged account (administrator).

TIP

Starting from version 7, the server will cease to work once the license is expired. Please contactyour NoMachine provider or the Support Team for renewal options.



N°: D-010_006-NMC-NTD



Amended:A

Page 16 of 61

To verify from command line that server.lic and node.lic are correctly in place and check theirvalidity, you may run the nxserver/nxnode --subscription and --version commands. On Linux andmacOS:

sudo /etc/NX/nxserver --subscription

sudo /etc/NX/nxnode --subscription

sudo /etc/NX/nxserver --version

sudo /etc/NX/nxnode --version

on Windows:

cd C:\Program files (x86)\NoMachine\bin\ nxserver --subscription

nxnode --subscription

nxserver --version

nxnode --version

3. Initiating a NoMachine Connection (end-user's side)

Pre-requisite: you need to have a valid account on the the Enterprise Desktop host, passwordcannot be empty. Your account can be a local account or a LDAP account or an AD account.NoMachine doesn't check if the source of users' account information is for example LDAP or localaccount database. Be sure to configure the login in advance.

3.1. Connecting by Browsers Via Enterprise Desktop Web Tools

Once installation is complete, Enterprise Desktop is ready to go.

Point the browser on your device to:

http://SERVER:4080

Where SERVER is either the name or IP address of the Enterprise Desktop host you want to reach.

E.g., if Enterprise Desktop is installed on a host named 'myserver.com', the URL will look like this:



N°: D-010_006-NMC-NTD



Amended:A

Page 17 of 61

http://myserver.com:4080

Connection will be automatically switched to HTTPS protocol:

https://myserver.com:4443/nxwebplayer

In the login form, provide username and password of your account on the Enterprise Desktop hostand connect.

TIPS

I Auto-reconnection is supported: when the connection is lost for whatever reason (includingwhen browser's computer has entered sleep mode), the NoMachine web application willautomatically try to reconnect for as long as the user keeps the web page open. If reconnectingis not possible, then the user will have to reconnect manually.

II IPv6 is supported: specify the IP address of the server host in IPv6 format (e.g.2001:0:5ef5:79fb:30c6:1516:3ca1:5695) if you want to use it instead of IPv4.

You can find a step-by-step tutorial for connections by the web in the 'Tutorials' section at:https://www.nomachine.com/all-documents

3.2. Connecting by NoMachine Client

Install NoMachine Enterprise Client on your device. You can use also NoMachine free or whicheverother server type, they all provide the client UI for connecting to remote computers.

In the 'Machines' panel you can create a new connection by clicking on 'Add': just provide the IPaddress of the Enterprise Desktop you want to connect to and port number.

You can find a step-by-step tutorial for connections to NoMachine in the 'Tutorials' section at:https://www.nomachine.com/all-documents. The tutorial deals with connections with NoMachine free,but it is suitable also for connections to the Enterprise Desktop. If you're using the Enterprise Client,please see also its Installation and Configuration Guide in the 'Installation' section at the same webpage above.

TIPS

I Auto-reconnection is supported: when the connection is lost for whatever reason (includingwhen the client host has entered sleep mode), the client will automatically try to reconnect foras long as the user keeps the UI open. If reconnecting is not possible, then the user will have toreconnect manually.

II IPv6 is supported: specify the IP address of the server host in IPv6 format (e.g.2001:0:5ef5:79fb:30c6:1516:3ca1:5695) if you want to use it instead of IPv4.



N°: D-010_006-NMC-NTD



Amended:A

Page 18 of 61



3.3. Preventing Users from Storing their Credentials

To prevent NoMachine users from storing their credentials when connecting to this EnterpriseDesktop, use the EnableCredentialsStoring key in the server configuration file:BaseDirectory/NX/etc/server.cfg on Linux BaseDirectory/NoMachine/etc/server.cfg on Windows/Applications/NoMachine.app/Contents/Frameworks/etc/server.cfg on Mac

The EnableCredentialsStoring accepts any these values:player Only users connected via NoMachine client are enabled to save username and password inthe connection file stored on their devices (computer, tablet etc ...)webplayer Only users connected via browser can choose to save their access credentials. They arestored in the browser's cookie, given that the user's browser has cookies enabled.both All users, regardless if connected via NoMachine client or via web, can store their credentials.none Users cannot save their username and password. They will be requested to provide their log-incredentials at each connection.

For example, to allow only users connecting via NoMachine client to store credentials, set in theserver configuration file: EnableCredentialsStoring player

4. Configuring NoMachine Enterprise Desktop

4.1. Configuring Web Sessions

The configuration file for the web player program (which provides the graphical front-end) and theweb client program (which manages web sessions) is server.cfg, located in:BaseDirectory/NX/etc on Linux BaseDirectory/NoMachine/etc on Windows /Applications/NoMachine.app/Contents/Frameworks/etc on Mac.

For example on Linux it is: /usr/NX/etc/server.cfg.

Default settings The Section directive defines settings for the NoMachine server(s) where the web player applicationwill connect. This directive, by default, points to localhost and looks like:

Section "Server"

Name "Connection to localhost"Host localhostProtocol NXPort 4000Authentication password



N°: D-010_006-NMC-NTD



Amended:A

Page 19 of 61

EndSection

Name is a label that can be displayed as an alternative to show hostname of the server. To changethe name to be displayed, it's necessary to enable also the EnableWebConnectionName key inserver.cfg: EnableWebConnectionName 1

Host is IP or hostname of the NoMachine server host. If different than localhost, it's then necessary to update manually the list of known hosts as explainedhere: https://www.nomachine.com/AR06P00984

Protocol specifies the protocol, NX or SSH, that the web player will use to connect to the NoMachineserver. Default is:

Protocol NXPort 4000

To use SSH protocol with default port, set for Linux and Mac:

Protocol systemPort 22

and for Windows:

Protocol systemPort 4022

Port indicates the listen port for the server, by default 4000 for connections by NX protocol, 22 forconnections by SSH protocol on Linux and macOS and 4022 for connections by SSH on Windows.

This setting has to be changed only when NoMachine is configured to listen on a non-default port.Changing the port for web connections requires a manual procedure available here:https://www.nomachine.com/AR06N00888

Authentication defines the authentication method to be used when connecting by the web, bydefault 'password':

Protocol NX Authentication passwordand:

Protocol SSH Authentication password

Key-based authentication is supported at the moment only for NX protocol, instructions to set it upare available here: https://www.nomachine.com/AR03Q01020

TIP

Server configuration: by default the nxd service in charge to accept connections by NX protocol listens on port 4000.On Linux and mac, connections by SSH relies on the system SSHD and default port 22.On Windows, NoMachine ships its own nxsshd service, listening on port 4022.In order to change the port for NX protocol, change the port for the nxd service via UI in the Settings-> Server -> Ports panel. To change the port for connections by SSH to Linux and Mac hosts, modify the listen port for the



N°: D-010_006-NMC-NTD



Amended:A

Page 20 of 61

https://88.207.207.59:11500/AR06P00984

https://88.207.207.59:11500/AR06N00888

https://88.207.207.59:11500/AR03Q01020

SSH server on the system and restart it. On Windows instead, change the port for the nxsshd service via NoMachine UI.

Other settings in server.cfg specific for web sessions are qualified by the 'Web' keyboard in theirname.

Showing hostname or a custom labelTo display hostname or IP of the Enterprise Desktop host when connecting by the web, set thefollowing key. This is the default:

EnableWebConnectionName 0

To display the label set in the 'Name' field of Section "Server" set:

EnableWebConnectionName 1

Hiding the tutorial wizard at web session startupTo not display the tutorial wizard for the menu panel at session startup, set:

EnableWebMenuTutorial 0

and to show it (this is the default):

EnableWebMenuTutorial 1

Allowing to log-in as a guestIf the Enterprise Desktop has support for guest users enabled, set the following key if you need thatusers connect by the web always as guest users:

EnableWebGuest 1If this key is disabled, users will have the possibility to choose if log-in with their credentials or as aguest.

Allowing nxhtd (the NoMachine built-in web server) to serve content of Web PlayerEnableWebPlayer 1

4.2. Managing Enterprise Desktop Web Services

You can start and stop the NoMachine HTTP server (nxhtd) from the UI in Settings -> Server -> Ports.From there you can also specify if the service has to be automatically restarted at the next reboot ornot.

To stop, start or restart nxhtd from command line on Linux or macOS, open a terminal and executerespectively:



N°: D-010_006-NMC-NTD



Amended:A

Page 21 of 61

sudo /etc/NX/nxserver --stop nxhtd

sudo /etc/NX/nxserver --start nxhtd

sudo /etc/NX/nxserver --restart nxhtd

On Windows, launch a CMD console as administrator execute:

cd C:\Program files (x86)\NoMachine\bin\

nxserver --stop nxhtd

nxserver --start nxhtd

nxserver --restart nxhtd

Automatic restart of the nxhtd serviceThe nxhtd service is automatically restarted at the next boot. You can change the default behavior forthe nxhtd service from the UI or by using the following command:

nxserver --startmode nxhtd manual

or to enable the automatic restart of the service:

nxserver --startmode nxhtd automatic

The nxserver --startmode command (as well as the UI setting) operates on the StartHTTPDaemon keyin the server.cfg file:

StartHTTPDaemon Automatic

and:

StartHTTPDaemon Manual

Disabling connections by the webEdit the server configuration file and remove HTTP from the ClientConnectionMethods key. It shouldthen look like: ClientConnectionMethods NX,SSH

Then restart NoMachine server to make this change effective:

nxserver --restart



N°: D-010_006-NMC-NTD



Amended:A

Page 22 of 61

4.3. Using an Alternative Apache Web Server

NoMachine Enterprise Desktop is designed to provide a fully integrated service to deploy sessions onthe web which doesn't require additional software to be installed or manual configuration. Theminimal Apache web server, nxhtd, provides the necessary modules and is pre-configured to workwith the web player application.

However, it is possible to run the web player application with an alternative Apache web server. Lookfor detailed instructions in our Knowledge Base, section Articles, by searching for the 'Apache'keyword: https://www.nomachine.com/knowledge-base.

4.4. Web Optimizations: Using WebRTC (Real-Time WebCommunication)

The implementation of WebRTC support in browser-based remote desktop sessions must be enabledexplicitly by the administrator by editing the server.cfg file.

With the help of a STUN/TURN server for negotiating NAT traversal, peer-to-peer WebRTCcommunication can be established also when the web session has to be run behind a NAT.

STEP 1: Uncomment and set the AcceptedWebMethods key as follows to enable the use of WebRTC:

AcceptedWebMethods webrtc

STEP 2: If the node machine where the web session will be started is behind a NAT, you need touncomment the following section in server.cfg:

Section "STUN"

Host hostnamePort portnumberUser usernamePassword password

EndSection

and provide relevant information to contact a STUN or TURN server. In this last case change Sectionname to "TURN".

See also: https://www.nomachine.com/AR07N00892 for further intructions about the configurationand: https://www.nomachine.com/AR07N00894 for an example about how to set up your ownSTUN/TURN server and configure the Enterprise Desktop accordingly.

5. Compression Techniques and Optimizations



N°: D-010_006-NMC-NTD



Amended:A

Page 23 of 61

https://88.207.207.59:11500/knowledge-base

https://88.207.207.59:11500/AR07N00892

https://88.207.207.59:11500/AR07N00894

5.1. Video Stream Encoding in Web Sessions

In case of web sessions, by default, session data are streamed in video frames compressed anddecompressed by using the MJPEG lossy algorithm, which is the video-format widely supported bybrowsers.

Oher video codecs like VP8 and H.264, require to enable WebRTC and a browser which supportsWebRTC and HTML5.

NoMachine web sessions use the H.264 video streaming when the following requirements are all met,otherwise VP8 is used:

I WebRTC is enabled.II The browser supports WebRTC and the H.264 decoding

In practice, when WebRTC is enabled, the H.264 or VP8 encoding will be used (if the browser supportsWebRTC), otherwise the classic web media exchange protocol will be used and MJPEG will be thecodec.

TIP

H.264 hardware encoding is possible when the Enterprise Desktop host machine has an hardwareaccelerated video cards (GPU) with Nvidia Kepler microarchitecture onward or Intel Quick Syncprocessors or AMD card (at the moment only on Windows).Enabling HW acceleration by Quick Sync requires however a manual configuration as explainedhere: https://www.nomachine.com/AR09O00938

OptimizationsOptimizations can be done in two ways: (I) by adjusting display settings in the session or (II) byenabling WebRTC.

I Adjusting display settings in the web sessionsTo access NoMachine display settings, open the NoMachine menu inside the web session: pressctrl+alt+0 or click on the page peel in the upper right corner of the window to open it. Then clickon the 'Display' button and finally on 'Display settings'. From this panel you can do the following.

Change the display image qualityIncreasing the quality will mean to apply a minor compression ratio, the image will be clearer,but more bandwidth will be used.

Disable network-adaptive display qualityThis will anchor the display quality to the fixed value specified in the Display quality slider,making it independent from the current network congestion. This is not recommended whenthere is a very limited bandwidth.



N°: D-010_006-NMC-NTD



Amended:A

Page 24 of 61

https://88.207.207.59:11500/AR09O00938

Disable multi-pass display encodingThis will disable the progressive refinement of the image from the lower quality version of theimage during moments of inactivity of the desktop till the target quality set in the Display qualityslider. Disabling this refinement will send the image directly with target quality. This is notrecommended when there is a very limited bandwidth.

II Enabling WebRTCNoMachine web sessions use by default the classic web media exchange protocol for the two-waybrowser/web server communication. WebRTC (Real-Time Web Communication) is also supportedand can be enabled as explained in the next paragraph.Enabling WebRTC allows to use the H.264 video streaming (when possible) or VP8 which optimizeusers'experience with multimedia applications and contents.

TIP

You may verify which encoding method is in use from the NoMachine menu inside the session: pressctrl+alt+0 or click on the page peel in the upper right corner of the window to open it. Then click onthe 'Display' button and finally on 'Display settings'. The codec actually on use is reported at thebottom left of the menu.

5.2. Video Streaming Encoding in Client Sessions

Sessions run by NoMachine client use a combination of video and image encoding based on standardcodecs and a number of techniques developed by NoMachine. Frames are encoded into a videostream optimized by means of a compression and decompression algorithm of real-time image andaudio data. VP8, H.264 and MJPEG encoding are supported.

In general H.264 (default) and VP8 are suitable for all situations, while MJPEG can be an alternativewhen the end-user's computer is less powerful and the user is experiencing slow responsiveness.

The display encoder can be changed on the server:

from the UIIn the UI in the Settings -> Server -> Performance panel.

or in the node configuration file, node.cfg:

EnableDisplayServerVideoCodec 1DisplayServerVideoCodec CODEC

where CODEC can be: 'vp8','h264' or 'mjpeg'. For example:EnableDisplayServerVideoCodec 1DisplayServerVideoCodec mjpeg

6. Enterprise Desktop's Configuration



N°: D-010_006-NMC-NTD



Amended:A

Page 25 of 61

6.1. Configuration Files

The configuration files for the nxserver and nxweplayer/nxwebclient programs is server.cfg. Theconfiguration file for the nxnode program is node.cfg.

They are placed in the:BaseDirectory/NX/etc directory on Linux

BaseDirectory/NoMachine/etc directory on Windows

/Applications/NoMachine.app/Contents/Frameworks/etc/ directory on Mac.

The Default ConfigurationNoMachine Enterprise Desktop comes with a default configuration that is sufficient to grant a workingsetup in the majority of environments. You can tune your server installation at any moment andaccording to your specific needs by setting the related configuration keys. In some cases this willrequire to restart all NoMachine services.

Edit the Configuration FilesNoMachine configuration files are text files made up of a number of key-value pairs. All theconfiguration files can be edited manually by a text editor. For example 'vi' can be used on Linux andMac, and 'notepad' on Windows. On Windows it can be necessary that you copy the cfg file in adifferent place, edit it and move it to the etc directory.

Be sure to uncomment the configuration key (i.e., remove the '#' pre-pended to the key) to set avalue different from the default.

When a configuration key supports an on/off status, set value to '0' to disable it and to '1' to enable it.

Make Changes to the Default Configuration EffectiveChanges will be effective with the next new connection without the need to restart the server if nototherwise specified.

7. Services Management

Installation and upgrade procedures take care of configuring and starting all the necessary servicesto make NoMachine Enterprise Desktop ready to accept connections to its physical desktop. Thenecessary services are configured to be restarted at each reboot of the host machine.

7.1. Accepting Connections

When you are sit in front of the computer where Enteprise Desktop is installed or you're connected



N°: D-010_006-NMC-NTD



Amended:A

Page 26 of 61

there by NoMachine, you can switch off/on the ability to accept connections to your desktop viaNoMachine. When you disable the sharing of your screen, nobody can connect.

You can configure this setting via the NoMachine Monitor menu (right click on the !M icon in thesystem tray to open it) by clicking on item "Accept connections".

This setting lasts until you change it again, even when you physically log-out from the system.

See also this tutorial for more details: https://www.nomachine.com/disabling-access-to-your-local-desktop

TIPS

I Be careful if you decide to disable accepting connections when you are connected from remote:you will be no longer able to reconnect to the desktop via NoMachine once the current session isclosed. In this case, you can recover the ability to connect via NoMachine by changing settingsin the Monitor menu on the physical computer.

II It's posible to hide the 'Accept connections' item from the !M menu by configuring theNoMachine node.cfg file on that computer and setting:EnableAcceptingConnections 0Be sure to remove the pre-pending # from the key name.

7.2. Stopping and Starting Server (nxserver) and Services

All NoMachine services can be stopped/started via:

the UIall NoMachine services can be stopped by the UI in the Settings -> Server -> Status panel, this willterminate all users' connections. Click on 'Shut down the server', when doing so, you will be asked ifservices must be started at the next reboot or not.

To stop only incoming new connections and preserve current connections, you can choose 'Stop theserver'.

In the same panel, you can then restart server and services by clicking on 'Restart the server'.

or from command line.

On Linux and macOS, open a terminal and use the appropriate command:sudo /etc/NX/nxserver --shutdown

This will completely disable access to the server host machine and terminate all connections already running onthat host. By default, all services will be restarted when the machine is booted. To override this behavior, specifythe --startmode option when stopping the services:

sudo /etc/NX/nxserver --shutdown --startmode manual


All services will be restarted at the next reboot. To not start services when the machine is rebooted, specify thestart mode while running the --startup command:



N°: D-010_006-NMC-NTD



Amended:A

Page 27 of 61

https://88.207.207.59:11500/disabling-access-to-your-local-desktop

sudo /etc/NX/nxserver --startup --startmode manual

sudo /etc/NX/nxserver --startup --startmode manual

sudo /etc/NX/nxserver --restart

on Windows, open a CMD console as administrator and use the appropriate command:


nxserver --shutdown

This will completely disable access to the server host machine and terminate all connections already running onthat host. By default, all services will be restarted when the machine is booted. To override this behavior, specifythe --startmode option when stopping the services:

nxserver --shutdown --startmode manual

nxserver --startup

All services will be restarted at the next reboot. To not start services when the machine is rebooted, specify thestart mode while running the --startup command:

nxserver --startup --startmode manual

nxserver --startup --startmode manual

nxserver --restart

7.3. Stopping and Starting nxd, nxhtd and nxsshd

The NoMachine network services available for NoMachine Enterprise Desktop are nxd, nxhtd (bothinstalled on all platforms) and nxsshd (installed on Windows only):

Program Default port Scope Available on

nxd 4000 Accept connections byNX protocol Linux, Windows and Mac

nxhtd 4080 and 4443Accept connections by

HTTP protocol(connections by the

web)Linux, Windows and Mac

nxsshd 4022 Accept connections bySSH protocol Windows



N°: D-010_006-NMC-NTD



Amended:A

Page 28 of 61

You can stop a single service:

via the UIin the Settings -> Server -> Ports -> panel. You can choose there also the start mode: if the servicemust be started automatically at the next boot or not. From the same panel, you can then start theservice.

or from command line.

On Linux and Mac, execute in a terminal the appropriate command to stop or start the service:

sudo /etc/NX/nxserver --stop nxd

sudo /etc/NX/nxserver --stop nxhtd

sudo /etc/NX/nxserver --start nxd

sudo /etc/NX/nxserver --start nxhtd

On Windows, open a CMD console as administrator and execute the appropriate command to stop orstart the service:


nxserver --stop nxd

nxserver --stop nxhtd

nxserver --stop nxsshd

nxserver --start nxd

nxserver --start nxhtd

nxserver --start nxsshd

Any of the 'nxserver --stop/start SERVICE'commands above accept the --startmode parameter tospecify if the service has to be started in 'automatic' or 'manual mode:

nxserver --startmode SERVICE manual

or to restore the default behavior:

nxserver --startmode SERVICE automatic

Commands to stop/start services operate on the configuration keys listed below. You can also changethem manually in the server configuration.



N°: D-010_006-NMC-NTD



Amended:A

Page 29 of 61

Configuration Key settingEnable automatic starting of nxd StartNXDaemon Automatic

Disable automatic starting of nxd StartNXDaemon Manual

Enable automatic starting of nxhtd StartHTTPDaemon Automatic

Disable automatic starting of nxhtd StartHTTPDaemon Manual

Enable automatic starting of nxsshd on Windows StartSSHDaemon Automatic

Disable automatic starting of nxsshd on Windows StartSSHDaemon Manual

7.4. Local and Network Ports

For each session, NoMachine uses ports that are used only locally on the server host and networkports.

Some ports are mandatory and must be free, e.g. the session display number and the connectionport. Other ports are used for services that can be disabled (e.g. USB forwarding, UDPcommunication).

Local port Description How to change the default

11000 +DisplayBase

Session display. If this port is already inuse, NoMachine will look for a free port byincrementing DisplayBase up to the valueset in the DisplayLimit serverconfiguration key.

DisplayBase (by default 1001)and DisplayLimit (200) aredefined in server.cfg

20000Communication port between thesession's nxserver process and the mainserver process.

Add the ServerSlaveBase key tothe end of server.cfg and specifya value

24000 +DisplayBase Session's monitor port.

DisplayBase (by default 1001)and DisplayLimit (200) aredefined in server.cfg

5473 and 5483 USB devices forwarding.Disable USB sharing by settingEnableUSBSharing none innode.cfg

Network port Description How to change the default

6000 + DisplayBase

TCP port for the NoMachine displayservice. If this port is already in use,NoMachine will look for a free port byincrementing DisplayBase up to thevalue set in the DisplayLimit serverconfiguration key.

DisplayBase (by default 1001) andDisplayLimit (200) are defined inserver.cfg

5353UDP port for the MDNS service tobroadcast computer's information over

Disable the service by settingEnableNetworkBroadcast 0 in



N°: D-010_006-NMC-NTD



Amended:A

Page 30 of 61

the LAN. server.cfg

4000

TCP port for the NoMachine Networkservice (nxd) and connections via NXprotocol. This port must be open in thefirewall and mapped to the external IP ofthe server host.

Set NXPort in server.cfg andrestart the nxd service.

4011 - 4999 UDP port range.Set UDPPort in server.cfg to definea different range. UDP can bedisabled on client side.

22 (Linux and Mac)

TCP port for connections via SSHprotocol on Linux and Mac. This portmust be open in the firewall andmapped to the external IP of the serverhost.

Set a different port for the systemSSH server and align value set forSSHDPort in server.cfg. Thenrestart the NoMachine server.

4022 (Windows)

TCP port for the NoMachine SSH serveron Windows (nxsshd) and connectionsby SSH protocol. This port must be openin the firewall and mapped to theexternal IP of the server host.

Set SSHDPort in server.cfg andrestart the nxsshd service.

4080 and 4443HTTP and HTTPS port for webconnections. These ports must be openin the firewall and mapped to theexternal IP of the server host.

Change 'Listen' directives inhtd.cfg and restart the nxhtdservice.

20000 - 30000 External ports range for UPnP portmapping.

Set NXUPnPPort in server.cfg todefine a different range. SetEnableUPnP none in server.cfg todisable port mapping

5040 + x

Port opened between client and serverfor each USB device. Port number isdefined by 5040 + x where 'x' is thefirst free port retrieved starting fromport number 5040.

N/A

4000 Automatic updates from NoMachinerepositories.

Updates are managed by nxd.Disable automatic updates bysetting UpdateFrequency 0 inserver.cfg

5473 and 5483 USB devices forwarding.Disable USB sharing by settingEnableUSBSharing none innode.cfg

7.5. Hiding the NoMachine Monitor and Notification Messages

It is possible to hide or show the !M (the Monitor) icon of the Enterprise Desktop in the system tray.When the icon is hidden, notification messages will still be displayed when users are connecting. Thiscan be configured from the UI:In the Settings -> Server > Security panel, check 'Hide the NoMachine icon in the system tray'. When the icon is hidden, notification messages will still be displayed when users are connecting.

or in the node configuration fileThis setting is ruled by the DisplayMonitorIcon key in the node.cfg file.



N°: D-010_006-NMC-NTD



Amended:A

Page 31 of 61

To hide the !M in the system tray set:DisplayMonitorIcon 0

To display the !M in the system tray set:DisplayMonitorIcon 1

In both cases, then restart the server, via UI or from command line.

By default NoMachine issues a ballon message to notify about events like user's disconnection oruser's requests for connecting. You can disable notification messages by setting the following key inthe node configuration: DisplayMonitorNotifications 0

TIP

If the displaying of monitor's notification messages is disabled, the desktop owner will be unable toaccept connection's requests by other users. Configure trusted users if you need to permit theconnection without explicit authorization.

7.6. Hiding the Whiteboard and Chat Tools

If you want to disable the possibility of launching the Whiteboard from the Monitor menu, edit thenode configuration file to have:

EnableWhiteboard 0

Then restart the server, via UI or from command line.

7.7. Handling with Discovering of this Server on LAN

By default NoMachine Enterprise Desktop broadcasts information to let other NoMachine computersto discover it on the local network. You can disable this feature via:the UIin the Server Settings -> Ports panel: uncheck option 'Advertise this computer on the local network'.

or in the server configuration fileset the following key in server.cfg:

EnableNetworkBroadcast 0

Then restart the server via UI or from command line.



N°: D-010_006-NMC-NTD



Amended:A

Page 32 of 61

8. Notifications to Users

8.1. Whiteboard and Custom Notifications

NoMachine provides an instant messaging tool, named whiteboard which allows also drawing andsharing files with connected users and fast-track access to file transfer. Right mouse click on the !Micon in the system tray of the Enterprise Desktop host and click on 'Show whiteboard'. Note that ifmultiple users are connected at the same time, they will all see the message.

Sending a message to all sessions or to a specific session

On Linux and Mac execute in a terminal any of the follwoing commands:

sudo /etc/NX/nxserver --broadcast "Your message goes here"

sudo /etc/NX/nxserver --message <sessionid> "Your message goes here"

On Windows, open a CMD console as administrator and execute:


nxserver --broadcast "Your message goes here"

nxserver --message ses <sionid> "Your message goes here"

9. Supported Connection Protocols and Authentication Methods

NX ProtocolNoMachine connections by default use the NX protocol which is its own protocol for securecommunication over the network. Encryption in the NX protocol is implemented using OpenSSLTLS/SSL, based on ECDHE-RSA-AES128-GCM-SHA256 as the default cipher suite. ECDHE-RSA-AES128-GCM-SHA256 is an AES (Advanced Encryption Standard) block cipher with 128 bits key in GCM(Galois/Counter Mode). RC4 (ECDHE-RSA-RC4-SHA cipher suite) is used as a backward compatibilitywhen connecting from or to versions 4.0.

When using the NX protocol, NX data can travel on TCP and UDP streams, even at the same time. Theclient and server can decide dynamically what transport to use, based on the type of data and thenetwork conditions. Client and server negotiate the UDP transport at session startup, after havingnegotiated the main TCP link. UDP uses symmetric Blowfish encryption, with key negotiated on thesecure TCP link. UDP is presently not available when using the SSH tunneling, to ensure that all datagoes through the same SSH link, as it was in legacy version 3. UDP protocol can be also disabled.



N°: D-010_006-NMC-NTD



Amended:A

Page 33 of 61

SSH ProtocolNoMachine Enterprise Desktop also provides tunneling of connections using SSH and full integrationwith any authentication backend supported by the host SSH server. On Windows systems, NoMachineprovides a built-in SSH server, nxsshd.

Authentication methodsThese are the authentication methods supported by NoMachine when connections use the NXprotocol or the SSH protocol:

Authentication method NX protocol SSH protocol

Login with user's password yes yes

Login with SSH private key(*) yes yesLogin with SSH private key provided by a

SSH agent - yesLogin with SSH private key stored on a

smart card(*) - yes

Login with Kerberos ticket (**) yes yes

(*)Support for SSH agent forwarding - yes(**)Support for Kerberos tickets

authentication forwarding yes yes

Support for two-factor authentication yes yes

9.1. Defining Protocol in Server Configuration

Protocols are defined in the ClientConnectionMethods key in the server configuration. They arespecified as a comma-separated list of values:

ClientConnectionMethods NX,SSH,HTTP

This key is automatically populated during the installation or the update of the package. It is possibleto exclude any of the available protocols to force users to connect by the desired protocol.

For example, to use only NX protocol, set this key to:ClientConnectionMethods NX

and restart the server.

TIPS

I If your server supports SSH but it still reports that SSH is not available, check theClientConnectionMethods key and ensure that the SSH values is set. Then restart the server.

II Removing 'HTTP' from the ClientConnectionMethods key will disable the starting of theNoMachine HTTP server and prevent connections via web.



N°: D-010_006-NMC-NTD



Amended:A

Page 34 of 61

9.2. Locking Down the Accepted Authentication Methods

Administrators may decide how the user should authenticate on the server by defining whichauthentication method(s) is/are available. Authentication methods can be set in the serverconfiguration file by editing this key:

AcceptedAuthenticationMethods all

By default all methods are accepted. They can be restricted by providing a comma-separated list ofvalues, they will indicate which authentication method is permitted.

Accepted values for connections by NX protocol are:NX-password to allow password authentication.NX-private-key to allow key-based authentication.NX-kerberos to allow Kerberos ticket-based authentication.

while for connections by SSH protocol:SSH-system to allow all methods supported for the system login. SSH authentication methods for thesystem login have to be set on the system for example in the PAM configuration.

For example, to accept key-based and Kerberos ticket-based authentication for the NX protocol:

AcceptedAuthenticationMethods NX-private-key, NX-kerberos

Settings in the client UIWhen you connect by the client to a remote computer, you can select the authentication method foryour connection while creating it or change it later (right mouse click on the connection icon -> Editconnection -> Configuration).

9.3. Changing Port for the NX Protocol

By default nxd is listening on port 4000 to accept connections by NX protocol.

If you change the listen port for nxd, connecting users will have to specify the new value in theirconnection settings in the client UI.

It's possible to modify the port for nxdfrom the UIin the Settings -> Server -> Ports panel

or in the server configuration file by editing this key:NXPort 4000

Restart nxd via UI or from command line.



N°: D-010_006-NMC-NTD



Amended:A

Page 35 of 61

TIP

When NX protocol is used, UDP communication for multimedia is enabled by default.

9.4. Changing Port for the SSH Protocol

The default port used for the SSH protocol is 22 on Linux and Mac. On such platforms NoMachinerelies on the SSH server installed on the system. If your SSHD is configured to listen on a portdifferent from 22 you need to align the NoMachine server configuration accordingly. Connecting userswill have to specify such value in their connection settings in the client UI.

To align the server configuration, change the SSH port via UI in the Settings -> Server -> Ports panel

or in the server configuration file by editing this key:SSHDPort 22

On Windows, NoMachine provides the SSH server, nxsshd, listening on port 4022. As explainedabove, this port can be changed from the UI or in the server configuration file (SSHDPort 4022).

Restart nxsshd via UI or from command line.

9.5. Connecting to a Server Behind a NAT Router (UPnP PortMapping)

Automatic discover of the NoMachine Enterprise Desktop host is possible only when the server andthe user's machine are on the same LAN. When the user connects over the internet or from adifferent network, it's mandatory to know the public (or external) IP of the Enterprise Desktop.

When the server is behind a NAT router, you have to configure the router to map an external port tothe internal port 4000 for connections by NX protocol, or 22 or 4022 (Windows) for connections bySSH. This is called 'port forwarding' or 'port mapping'.

If the router supports UPnP/NAT-PMP, you can let NoMachine Enterprise Desktop try to enable portforwarding in the router automatically. External ports will be selected randomly from the 20000 -30000 range.

Users connecting to the Enteprise Desktop will have to specify the external port in their connectionsettings in the client UI.

Enabling the automatic port forwarding Step 1: Set in the server configuration:EnableFirewallConfiguration 1

Step 2: Specify for which service the port forwarding must be enabled by listing them in thefollowing key:



N°: D-010_006-NMC-NTD



Amended:A

Page 36 of 61

EnableUPnP NX,SSH,HTTP

Step 3: (Optional) Specify the port where the NX service will be redirected by editing respectively:NXUPnPPort ""; SSHDUPnPPort "" and HTTPUPnPPort ""

TIP

To permit only connections by SSH (on external port 20048 for example) and use the automatic portforwarding, set in the server configuration: ClientConnectionMethods SSHEnableFirewallConfiguration 1EnableUPnP SSH SSHDUPnPPort "20048"and restart the server.

You can enable port forwarding for connections by NX and HTTP/HTTPS protocol also from the UIvia the Settings -> Server -> Ports panel. Selecting the service and click on 'Configure'. Then checkthe 'Gateway port' option.

Retrieving information about UPnP port mappingWhen the automatic port mapping is enabled, you can retrieve information about UPnP port mapping,e.g. IP of the gateway device, external port and port mapped via command line.

On Linux and Mac execute any of the following commands in a terminal:

sudo /etc/NX/nxserver --upnpstatus

To terminate port mapping:

sudo /etc/NX/nxserver --upnpunmap

To initiate port mapping:

sudo /etc/NX/nxserver --upnpmap

You can also specify for how long port mapping should last by using

sudo /etc/NX/nxserver --upnpmap --time

On Windows, open a CMD console as administrator and execute the appropriate upnp command:

sudo /etc/NX/nxserver --upnpstatus


nxserver --upnpunmap

nxserver --upnpmap

nxserver --upnpmap --time



N°: D-010_006-NMC-NTD



Amended:A

Page 37 of 61

9.6. Using NoMachine DBs for Managing User Access

Use of NoMachine DBs can be configured by editing the server configuration. The table below reportswhich configuration key value has to be set to enable or disable specific behavior as defined in the'Target' field:

Target Server configuration key Description

User's access based onsystem authentication(default)

EnablePasswordDB 0

Authentication is requested to thesystem, user's connection isallowed once the user has beenauthenticated. PAM, LDAP, AD aresupported.

User access based on NXPassword db EnablePasswordDB 1

Authentication is verified againstthe NX password DB. Separate theNoMachine authentication from thesystem authentication. The user'saccount must exist on the system.

Allow connections fromall authenticated users(default)

EnableUserDB 0

Every time a new account is createdvia NoMachine or an alreadyexisting system user runs thesession for the first time, the user isadded to the NoMachine NX UsersDB, even when the use of NX UsersDB is disabled. These users cannotbe disabled and are always allowedto connect if they authenticatesuccessfully.

Enable or disable user'saccess to NoMachine EnableUserDB 1

By default all users are enabled toaccess the NoMachine system onceauthenticated. With thisconfiguration a user can be disabledand re-enabled at any moment fromcommand line.

10. Users Management

10.1. Managing Users



N°: D-010_006-NMC-NTD



Amended:A

Page 38 of 61

To be able to login to the Enterprise Desktop host, you need to have a valid account on that host,password cannot be empty. Your account can be a local account or a LDAP account or an AD account.NoMachine doesn't check if the source of users' account information is for example LDAP or localaccount database. Be sure to configure the login in advance.

You can create a local account by means of system tools, or via command line by using the 'nxserver'commands.

On Linux and Mac, open a terminal and execute:

sudo /etc/NX/nxserver --useradd USERNAME --system


cd C:\Program files (x86)\NoMachine\bin\ nxserver --useradd USERNAME --system

Separate the system login from the NoMachine loginYou can assign a password, specific for the NoMachine login only, different from system password toany valid account. To do that, enable NoMachine Password DB ( EnablePasswordDB 1) in server.cfg.And ensure that the user is added to the NoMachine backend.

On Linux and Mac, execute in a terminal:

sudo /etc/NX/nxserver --useradd USERNAME


cd C:\Program files (x86)\NoMachine\bin\ nxserver --useradd USERNAME

Enabling and Disabling NoMachine access for a given userPrerequisites are:

i)The user has run at least one session or have been added to NoMachine dbs by means of 'nxserver--useradd' command.

ii) NoMachine Users DB is enabled (EnableUserDB 1 is set in server.cfg)

Then, on Linux or Mac execute from a terminal respectively:

sudo /etc/NX/nxserver --userenable USERNAME

sudo /etc/NX/nxserver --userdisable USERNAME





N°: D-010_006-NMC-NTD



Amended:A

Page 39 of 61

nxserver --userenable USERNAME

nxserver --userdisable USERNAME

Listing the NoMachine UsersAll users who have run at least one session or have been added to NoMachine dbs are stored in theUsers db. To retrieve the complete list on Linux or Mac, run from a terminal:

sudo /etc/NX/nxserver --userlist


cd C:\Program files (x86)\NoMachine\bin\ nxserver --userlist

Override user's setting to disable 'Accept connection'

If the user disabled 'Accept connections' from the !M monitor menu of the Enterprise Desktop, it's stillpossible to re-enable it via command line.

On Linux and Mac, execute from a terminal:

sudo /etc/NX/nxserver --useredit USERNAME --screensharing yes


cd C:\Program files (x86)\NoMachine\bin\nxserver --useredit USERNAME --screensharing yes

10.2. Connecting with a Privileged System Account

By default, NoMachine allows the running of sessions as privileged system user ('root' on Linux andMac and an administrator on Windows). You can however configure the NoMachine Server to disallowit. Do it by disabling the following server configuration key:

EnableAdministratorLogin 0

To re-enable the possibility to log in as root or administrator, set:

EnableAdministratorLogin 1



N°: D-010_006-NMC-NTD



Amended:A

Page 40 of 61

10.3. Managing Desktop Owner's Authorization (Trusted Users)

By default when the connecting user is different from the owner of the physical desktop, the desktopowner has to authorize the user for the connection. The owner of the physical desktop can be a userphysically sit in front of the Enterprise Desktop computer, or another NoMachine user connected byremote. Only system administrators, NoMachine administrators and NoMachine trusted users canconnect without explicit authorization. This setting corresponds to PhysicalDesktopAuthorization 1 inserver.cfg.

Possible alternative configurations are the following.

Disable the request for desktop owner's authorizationSet in the server.cfg file: PhysicalDesktopAuthorization 0

Allow only NoMachine trusted users to connect without authorizationSet in the server.cfg file: PhysicalDesktopAuthorization 2

NoMachine administrators and trusted usersBeing a NoMachine administrator doesn't alter current system privileges for that user. To make auser becoming a NoMachine administrator, do the following.

On Linux and macOS open a terminal and execute:

sudo /etc/NX/nxserver --useredit USERNAME --administrator yes

On Windows open a CMD console as Windows administrator and execute:

cd C:\Program files (x86)\NoMachine\bin\nxserver --useredit USERNAME --administrator yes

NoMachine trusted users have the ability to connect to the remote desktop without the need to beauthorized. It's also possible to define NoMachine groups of users and make them trusted, or maketrusted already existent system groups (on Linux and Mac only). It's also possible to limit the trustedattribute to those desktops owned by specific users.

Make a user trustedOn Linux and Mac executed from a terminal:

/etc/NX/nxserver--useredit USERNAME --trusted physical

To make the user trusted only for the desktop of a specific user (USERNAME2 can be also a list of comma-separated users):

/etc/NX/nxserver --useredit USERNAME --trusted physical --per-user USERNAME2



nxserver --useredit USERNAME --trusted physical



N°: D-010_006-NMC-NTD



Amended:A

Page 41 of 61

To make the user trusted only for the desktop of a specific user (USERNAME2 can be also a list of comma-separated users):

nxserver --useredit USERNAME --trusted physical --per-user USERNAME2

Remove the 'trusted' attribute On Linux and Mac executed from a terminal:

/etc/NX/nxserver--useredit USERNAME --trusted none



nxserver --useredit USERNAME --trusted none

List only trusted usersOn Linux and Mac execute in a terminal_

sudo /etc/NX/nxserver --userlist --trusted


cd C:\Program files (x86)\NoMachine\bin\ nxserver --userlist --trusted

10.4. Guest Users

The Enterprise supports the possibility to generate guest accounts on demand. The automaticgeneration of guests accounts is available on all platforms, i.e. Linux, Windows and Mac. This featurehowever is not enabled by default and must be activated via a profile rule.

Once enabled, the Enterprise Desktop will accept the request to log-in as and automatically create asystem account. Time of validity and other features can be set for guest users by editing the serverconfiguration

Enable guest accounts


sudo /etc/NX/nxserver --ruleadd --class feature --type enable-guest --value yes

To disable login as a guest:

sudo /etc/NX/nxserver --ruleadd --class feature --type enable-guest --value no



N°: D-010_006-NMC-NTD



Amended:A

Page 42 of 61



nxserver --ruleadd --class feature --type enable-guest --value yes

To disable login as a guest:

nxserver --ruleadd --class feature --type enable-guest --value no

TIP

Guest users don't know their username and password and cannot unlock the remote screen ifscreen locking is enabled. It's therefore necessary to disable it on the system.

Configuring guest accounts

Define range of names for guest accountsThe server creates guest accounts by adding a progressive number as a postfix to the base guestname. The range used for incrementing the postfix varies from a minimum and a maximum value.Base name and range for the postfix are configurable:

BaseGuestUserId 10GuestUserIdLimit 200

Define group for guest accountsGuestUserGroup guest

Define where the server has to create the guest accounts' homesGuestUserHome /home (e.g. for Linux)

Define for how long guest accounts have to be kept before being expiredDefault is 30 days:GuestUserAccountExpiry 2592000 (This value has to be set in seconds)

Define if guest accounts have to be deleted once expiredEnableGuestWipeout 1

Setting Disk Quota for Guest Accounts on LinuxThe following server configuration keys allow to set disk quota for guest accounts:GuestQuotaProtoname protoguestGuestQuotaInodeHardlimit 0GuestQuotaBlockSoftlimit 0GuestQuotaBlockHardlimit 0GuestQuotaInodeGracePeriod 0GuestQuotaBlockGracePeriod 0GuestQuotaFilesystems all

Define the maximum number of guests allowed to be created on this serverGuestUserLimit 10



N°: D-010_006-NMC-NTD



Amended:A

Page 43 of 61

Define the maximum number of sessions a guest can run on this server before theaccount expiresGuestUserConnectionLimit 5

Define for how long (in seconds) a guest can run the session before the account expiresGuestConnectionExpiry 0 (If value is set to 0, a guest's session is never terminated.)

11. Sessions' Management

Each session on the same server is uniquely identified by a session id (which can look like:B253864E822F5A235825F3AB8853AF00) and a display id (e.g.,1002).

A session on the NoMachine Enterprise Desktop can be in any of the following statuses:Connected - when it's connected to the remote display.Finished - the session has been closed in a clean way and all NoMachine processes have been shut-down smoothly.Failed - Any of the NoMachine processes has failed to start or it has been "un-cleanly" terminated.Transitional statuses are Connecting and Terminating.

TIP

NoMachine Enterprise Desktop is able to manage only connections to the remote physical desktop.

11.1. Monitoring Sessions

You can monitor sessions from command line tools.

Listing Running SessionsOn Linux and Mac, execute in a terminal:

sudo /etc/NX/nxserver --list

You can also filter results on a per-user basis:

sudo /etc/NX/nxserver --list USERNAME

and/or gather further information about connected clients:

sudo /etc/NX/nxserver --list --client-version --client-platform





N°: D-010_006-NMC-NTD



Amended:A

Page 44 of 61

nxserver --list

You can also filter results on a per-user basis:

nxserver --list USERNAME

and/or gather further information about connected clients:

nxserver --list --client-version --client-platform

The number of active connections on the server corresponds to the number of sessions in statusConnected. Session status is shown in the output of session history command.

Session HistoryHistory is preserved for a certain amount of time as set in the server istory configuration(SessionHistory key in server.cfg). The session history allows to see the complete list of sessions,including those that have been cleanly terminated or failed, debug a failed session and generatestatistics of sessions.


sudo /etc/NX/nxserver --history

To redirect the output of the session history to a file:

sudo /etc/NX/nxserver --history --file FILE

If you want to filter results on a per-user basis:

sudo /etc/NX/nxserver --history USERNAME

or to get details about a session:

sudo /etc/NX/nxserver --history SESSIONID



nxserver --history

To redirect the output of the session history to a file:

nxserver --history --file FILE

If you want to filter results on a per-user basis:

nxserver --history USERNAME



N°: D-010_006-NMC-NTD



Amended:A

Page 45 of 61

or to get details about a session:

nxserver --history SESSIONID

Debugging a Failed Session with Session HistoryIf a session is marked as failed in the session history output, the following command provides a shortreport helpful for a preliminary debug of the problem.

On Linux and Mac execute in a terminal:

sudo /etc/NX/nxserver --history ID_of_FAILED_SESSION

You can also redirect the error report to a file:

sudo /etc/NX/nxserver --history ID_of_FAILED_SESSION --file FILE



nxserver --history ID_of_FAILED_SESSION

You can also redirect the error report to a file:

nxserver --history ID_of_FAILED_SESSION --file FILE

Retrieving Statistics about Sessions with Session HistoryIt elaborates a number of information about sessions, contained in the current session history. Forexample the number of sessions started, terminated, running and failed and their average startuptime.


sudo /etc/NX/nxserver --history --stats

To redirect statistics to a file:

sudo /etc/NX/nxserver --history --stats --file FILE



nxserver --history --stats

To redirect statistics to a file:

nxserver --history --stats --file FILE



N°: D-010_006-NMC-NTD



Amended:A

Page 46 of 61

Clearing Sessions HistoryYou can reset the history.


sudo /etc/NX/nxserver --history clear



nxserver --history clear

Configuring the Session History BacklogData is preserved for 30 days. You can modify that in the server configuration file by uncommentingand setting a different value for the following key:SessionHistory 2592000

This key accepts the following values:< 0 Never delete data from NX session history.0 Disable NX session history.> 0 Keep data in session history for this amount of seconds.

11.2. Managing Sessions

Terminating Sessions AutomaticallyIf you need to terminate a remote desktop session after a certain time of inactivity, you can specify itby uncommenting and adding the '-timeout s' (s stays for seconds) option to theDisplayAgentExtraOptions key in the node configuration file.

For example, if you want to terminate sessions after 10 minutes of inactivity you need to set:DisplayAgentExtraOptions "-timeout 600"

If the NoMachine display agent doesn't receive any input from the user in the given timeout, it willterminate the session.

Terminating the Session from Command Line


sudo /etc/NX/nxserver --terminate SESSIONID

or:

sudo /etc/NX/nxserver --terminate DISPLAYID



N°: D-010_006-NMC-NTD



Amended:A

Page 47 of 61

To terminate all sessions of a certain user, run instead:

sudo /etc/NX/nxserver --terminate USERNAME

If you want to terminate all sessions, just restart the server:

sudo /etc/NX/nxserver --restart

If you want to terminate all sessions and forbid new connections until the server is started again:

sudo /etc/NX/nxserver --shutdown



nxserver --terminate SESSIONID

or:

nxserver --terminate DISPLAYID

To terminate all sessions of a certain user, run instead:

nxserver --terminate USERNAME

If you want to terminate all sessions, just restart the server:

nxserver --restart

If you want to terminate all sessions and forbid new connections until the server is started again:

nxserver --shutdown

Limit the number of concurrent connectionsThe maximum number of concurrent connections to the physical desktop is defined in the serverconfiguration (twenty by default). Set a different value in this key to increase or decrease the limit: ConnectionsLimit 20

It's also possible to limit the maximum number of connections that a user can do by editing inserver.cfg: ConnectionsUserLimit 20

Limits above can be used in conjunction with the AutomaticDisconnection key which controls theserver behaviour when the maximum number of allowed connections is reached: AutomaticDisconnection 0 The server prompts the connected user to accept or refuse to disconnectfor making room for the incoming user. If no choice is made, the user is automatically disconnected.This is the default. AutomaticDisconnection 1 The server automatically disconnects the connected user to make room forthe connecting user. No message is issued to the already connected user.



N°: D-010_006-NMC-NTD



Amended:A

Page 48 of 61

AutomaticDisconnection 2 The server prompts the connected user to accept or refuse to disconnectfor making room for the incoming user. If no choice is made, the server doesn't disconnect the userand advise the incoming user that the maximum number of allowed connections is reached. AutomaticDisconnection 3 The server never notifies desktop owners about incoming users, incomingusers are informed that the maximum number of allowed connections is reached.

11.3. Executing Custom Scripts on Server/Node Events

The server configuration provides a number of keys that can be activated to execute a customscript upon a certain event. According to the event, a number of parameters can be specified foreach script. In a similar way, a number of keys is present in the node configuration file to allow toexecute a custom script on a certain NoMachine node event. In both cases and according to theevent, a number of parameters can be specified for each script. Keys and parameters not supportedby the Enterprise Desktop are omitted in the table below.

Availablefor Configuration key Accepted parameter

(server.cfg)Accepted parameter

(node.cfg)server UserScriptBeforeLogin remote ip -

server UserScriptAfterLogin username,remote ip -

server UserScriptAfterLogout username, remote ip -

server,node UserScriptBeforeSessionStart session id, username,node host, node port

session id, username,session type, display

server,node UserScriptAfterSessionStart session id, username,node host, node port


server,node UserScriptBeforeSessionClose session id, username,node host, node port


server,node UserScriptAfterSessionClose session id, username,node host, node port


server UserScriptBeforeSessionFailure session id, username,node host, node port -

server,node UserScriptAfterSessionFailure session id, username,node host, node port


server UserScriptBeforeCreateUser username -

server UserScriptAfterCreateUser username -

server UserScriptBeforeDeleteUser username -

server UserScriptAfterDeleteUser username -

server UserScriptBeforeEnableUser username -

server UserScriptAfterEnableUser username -

server UserScriptBeforeDisableUser username -

server UserScriptAfterDisableUser username -



N°: D-010_006-NMC-NTD



Amended:A

Page 49 of 61

Note that order of parameters is relevant. For example, a custom script to be run on node event'UserScriptBeforeSessionStart' should use the $2 variable to retrieve username and $4 to retrievedisplay.

A further key in the node configuration file allows to run a custom script triggered on changeresolution events (resize of the remote screen). The related key is: UserScriptAfterRemoteResize

Pre-requisites to run custom scriptsCustom scripts must be executable. Custom scripts set-up in server.cfg are common to all the userswho are accessing the server and are executed by the nxserver program. Since nxserver is runningas the nx user, you have to grant this user the necessary permissions in order to execute the customscript.

Custom scripts set-up in node.cfg are executed by the nxnode program, which is run as theconnected user. Place the script in a directory that is accessible by the node, i.e. accessible by theconnected user(s).

By default if the execution of the scripts fails, the nxserver and nxnode will terminate. This meansthat the user's session will not start. You can override this behavior by forcing exit 0 inside thecustom script and let the session start even if the custom script is failed.

TIP

If NoMachine Enterprise Desktop is federated under a Cloud Server consider that custom scriptshave to be placed in server.cfg or node.cfg file on the Enterprise Desktop host, not on the CloudServer.

12. Connections to the Remote Desktop and Collaborative Sessions

By default all users can connect to the remote physical desktop of the Enterprise Desktop host. Whenthe desktop owner is different from the connecting user, he/she is always required to authorize theincoming request for connection unless the incoming user is a system administrators, a NoMachineadministrator or a NoMachine trusted user.

Authorization is not requested when the incoming user and the desktop owner are the same. This canbe configured via the UI in Settings -> Server -> Security panel. More configuration aptions areavailable via the server.cfg settings, see the paragraph in this guide about 'Managing DesktopOwner's Authorization'.

Other features like blanking of the remote screen and automatic lock of the remote screenupon session disconnection, configuring interactive/view-only mode and forcing a systemlogout upon session disconnection are also available. See the related paragraphs in this guide.TIPS

I When users connect to unattended or headless machines, consider to disable the request for



N°: D-010_006-NMC-NTD



Amended:A

Page 50 of 61

desktop owner's authorization before connecting or make such users trusted.II Allowing connections in interactive mode grants the user full access to the desktop resources

and applications. View-only mode is suggested for example when making presentations orteaching a lesson.

12.1. Blanking the Remote Screen and Auto Lock UponDisconnecting

NoMachine Enterprise Desktop supports the screen blanking feature: when active, the local userwill see a black screen on the physical monitor while somebody is connected from remote to thephysical desktop. Operations made on the physical screen are not shown and the local user cannotinteract with the desktop until the remote user logs-out. Control is given back to the local user oncethe remote user has logged off. Screen blanking is available for physical hosts, it is not supported onvirtual machines since it has effect on the physical monitor

You can activate the screen blanking feature on the Enterprise Desktop host machinefrom the UI:in the Settings -> Server -> Security panel select the 'Blank the physical screen when somebodyconnects' option

or in the server configuration file, server.cfg.Uncomment and set:EnableScreenBlanking 1

To disable screen blanking, set:EnableScreenBlanking 0.

Then restart the server to make this change effective.

The screen blanking feature can be used in conjunction with the automatic lock of the remotescreen. Even if the user didn't lock the screen before disconnecting by NoMachine, as soon as thescreen is unblanked, the system lock screen will be activated automatically to keep the remotedesktop protected even when the computer is running unattended.

You can enable the automatic remote screen lock from the UIIn the Settings -> Server -> Security panel by selecting the 'Lock the physical screen on disconnect'option

or in the server configuration file, server.cfg.

Uncomment and set:EnableLockScreen 1

To disable the automatic screen lock, set:EnableLockScreen 0

Then restart the server to make this change effective.



N°: D-010_006-NMC-NTD



Amended:A

Page 51 of 61

12.2. Configuring Interactive or View-only Mode

It's possible to configure if users will connect in interactive mode or view-only mode

via UIin the Settings -> Server -> Security panel choose 'Require permissions to let the remote usersinteract with the desktop'.

In this way, the desktop owner will be requested to authorize the incoming user (if different) to havean interactive connection.

or in the server.cfg file you can forbid users to interact with the desktop once connected by setting :PhysicalDesktopMode 0

In this way, the connected user will access the physical desktop in view-only mode.

To allow full interaction instead, ensure to have:PhysicalDesktopMode 2

A further setting, PhysicalDesktopMode 1 allows instead the connected user to interact with thedesktop except for resize operations.

TIP

When multiple users are connected to the desktop at the same time, it's possible to assign control ofmouse and keyboard to a specific user: right mouse click on the !M icon in the system tray, select'Yeld keyboard and mouse' and choose to whom assign.

12.3. Forcing a System Logout Upon Session Disconnection

The system logout will be triggered by the execution of a script upon the closure of the NoMachinesession. This script invokes the system command to force the logout, but due to great variety ofsupported systems, the script included in the Enterprise Desktop package provides by default justsome most common examples. You will need to tune it according to your system.

This script, named forcelogout.sh, is placed under the NoMachine installation directory:- /Applications/NoMachine.app/Contents/Frameworks/scripts/env/forcelogout.sh on macOS - /usr/NX/scripts/env/forcelogout.sh on Linux - %ProgramFiles(x86)%/NoMachine/scripts/env/forcelogout.bat on Windows

To force the system logout:-edit the forcelogout.sh script and specify the command to logout, appropriate for your operatingsystem.-edit the server.cfg file and enable the following key:LogoutOnDisconnect 1

When this key is enabled, NoMachine will try to execute the forcelogout.sh script. The automaticlogout will be effective only if the command set in the forcelogout.sh script is appropriate.



N°: D-010_006-NMC-NTD



Amended:A

Page 52 of 61

If you need to execute the logout after a certain period of time, enable also the following key andspecify a time value in seconds. The logout command will be executed when the timeout expires:LogoutOnDisconnectTimeout 0Timeout 0, the command to logout is executed immediately.

To delay the execution of the command, set the timeout in seconds. For example:LogoutOnDisconnectTimeout 600NoMachine will wait for ten minutes before executing the command to logout. If the user connectsagain by NoMachine in the meantime, the command to logout will not be executed.

13. Device Sharing, Copy&Paste and File Transfer

The Enterprise Desktop permits users to access and share their devices and resources from local toremote and vice-versa. Disks, printers, USB devices and more can be connected inside the session toeasily access them from both client and server side. At present device sharing is not available withweb sessions and requires to connect by NoMachine client.

Two-ways copy and paste is fully supported. Web sessions implements the NoMachine virtualclipboard provides for copying text from/to the session running in the browser and the localcomputer.

Download/upload files from the session to the local computer and vice-versa is also fully supported inclient and web sessions, as well as drag and drop of a file from remote to local and from local toremote.

By default device sharing, copy&paste and file transfer are always permitted. You can howevercompletely disable any of these services or disable it only partially, for example to prevent users fromsharing their local printer in the NoMachine session but permitting them to use the remote printer.

13.1. Connecting Devices

NoMachine implements a self-contained infrastructure for making available physical and logicaldevices over the network from local to remote or vice-versa.

The NoMachine infrastructure for device sharing ensures that all services work out of the box withoutthe need for any additional change or configuration. It is possible to connect disks, printers, USBdevices, network port and smartcards.

Connecting devices is supported only by NoMachine client (web sessions don't support that). Devicescan be connected through the NoMachine menu within the session (ctrl+alt+0 to open it). Connecteddevices can be disconnected during the life of the session and reconnected later. If option 'Export thisdeviceName at session startup' is checked in the menu panel, this device is automaticallyreconnected at the next session start-up.

Disabling device sharing



N°: D-010_006-NMC-NTD



Amended:A

Page 53 of 61

You can disable selectively the possibility to share a device

from the UIin the Settings -> Server -> Devices panel

or in the node configuration fileby editing the corresponding keys. The manual configuration permits also to limit only oneway ofservice, for example forbid to connect a local printer to remote. The next paragraphs deal withmanual node configurations in detail.

The available devices are:

Devices Configuration Technical details

Disks

Local and remote disks can be connectedand disconnected during the life of thesession and navigated by file browsing. Adisk connected as 'Public' is available toall users accessing that desktop. A privatedisk is available only to the user whoconnected it. Administrators can configure paths on theserver where public and private disks willbe mounted as well as specifying whichdisks on the server can be made availableto users.

This service relies on the NoMachineFile-system Server (nxfsd) andNoMachine File-system Adapter driveron Windows. On Mac it uses the nxfuseextension whilst on Linux it uses FUSE,installed on the system by default. Thenxfs and nxfsserver programs are usedon all systems to mount disks.

Printers

Local and remote printers can beconnected at any time (bi-directionalprinting). A connected printer is listedamong the available printers whenprinting a document or similar. A printercan be connected to be 'Public', i.e.available to all users connected to thatdesktop, or private, for a specific user. Itcan be also configured to be the defaultprinter.

This services relies on the NoMachineDevice Server service and theNoMachine Printer Adapter driver onWindows. On Mac and Linux it uses theCUPS infrastructure present on thesystem. In this last case, a printer canbe exported to the server only if theconnected user is in the lpadmin group.

USB devices

USB devices such as disks, pendrives,webcam etc... are forwarded through thenetwork. For example, when a USB deviceis forwarded from local (where the playeris running) to remote, it becomesavailable on the remote side only.

This service is based only on theNoMachine USB Server (nxusbd) anddrivers (NoMachine USB Hub,NoMachine USB Adapter and NoMachineUSB Host Adapter on Windows,nxusb.ko kernel module for Linux andnxusb.kext for Mac) and doesn't requireexternal tools.

Networkports

Service ports (such as Samba, CUPS, FTP,SSH, telnet and others) can be madeavailable from local to remote and vice-versa via a virtual network interface.

This service uses the NoMachine DeviceServer and the NoMachine VPN Adapterdriver on Windows and Mac. On Linux itrelies on a NoMachine tool plus astandard driver.

Smart Cards

A smartcard reader can be forwardedfrom client to server side and makessmartcard authentication available withinthe session. The server host must supportauthentication via smartcard.

Support for authentication with smartcard has been set-up by relying on thePublic Key Infrastructure (PKI) andrequires an OpenSC compatible smartcard. It can be integrated with Kerberosticket authentication and ticket



N°: D-010_006-NMC-NTD



Amended:A

Page 54 of 61

forwarding.

13.2. Disks

NoMachine allows access to local and remote file systems from within the session through the SSHFSfile-sharing protocol and by means of FUSE, a technology to implement a fully functional filesystem ina userspace program.

Connected folders and disks can be disconnected during the life of the session or left as they are.

By default, all disks from the server are available to be connected to the end-user's machine.However you can specify a set of disks and folders by editing a proper value for the DiskSharingListkey in the node configuration file. The default value is: all. Alternatively, you can specify a list ofcomma-separated directories. Note that $(HOME) and $(USER) are accepted values.

For example on Mac you might edit the node configuration file and specify:DiskSharingList $(HOME),/Volumes/TimeMachine

Connecting public disksDisks from the end-user's machine can be connected on the server in 'Public' or 'Private' mode.By default public disks are exported from player to "$(PUBLIC)" directory on the server, where$(PUBLIC) is:/Volumes on Mac/media on Linux C:\Users\Public on Windows Vista/7/8/8.1/10%ALLUSERSPROFILE% on Windows XP

You can specify a different path by un-commenting and editing the DiskSharingPublicBasePath key inthe node configuration file.Note that $(USER) is an accepted value that can be also concatenated to specify the path to adirectory, for example "/tmp/$(USER)".

The target directory must exist on the system!

Disabling Disks' ConnectionTo forbid disk and filesystem sharing, uncomment and set a proper value for the EnableDiskSharingkey in the node configuration file:client The filesystem on the client can be connected to server side and accessed from the session.server The filesystem on the server can be connected to the end-user's machine and accessedthrough the whole life of the session. both Client and server filesystem can be connected to remote and local sides respectively.none Neither client or server filesystem can be connected.

For example, to forbid connecting disks from remote to local side, set in the node configuration:EnableDiskSharing client

13.3. Printers



N°: D-010_006-NMC-NTD



Amended:A

Page 55 of 61

The printers sharing infrastructure integrates client-side printers with the server-side printingsubsystem and vice-versa. Printers available on the client machine can be shared and used within thesession as well as printers on the server side which can be made available on the end-user'smachine.

Connected printers can be disconnected during the life of the session or left as they are. In this case,they are automatically shared at the next session start-up.

On Linux and Mac this service uses the CUPS infrastructure present on the system.With CUPS 1.4 orlater, to ensure that users are able to connect a printer from local to their NoMachine session onLinux or Mac, it's necessary that the user already belongs to the CUPS System Group on theNoMachine server host. That's because, to add a printer to the CUPS system, the 'lpadmin' commandline tool has to be executed by a user who belongs to the CUPS's System Group, which can be forexample 'lpadmin' on Ubuntu, 'sys' on Fedora, RHEL and CentOS distributions and _lpadmin on Mac.

Disabling Printers' ConnectionTo forbid printer sharing it is necessary to uncomment and set a proper value for theEnablePrinterSharing key in the node configuration file:client Printers on the client can be connected to server side and made available within the session.server Printers on the server can be connected to the end-user's machine.both Client and server printers can be connected to remote and local sides respectively.none Neither client or server printers can be connected.

For example, to forbid a server-side printer to be connected to the end-user machine, set in the nodeconfiguration:EnablePrinterSharing client

13.4. USB Devices

This service creates a USB tunnel between client and server to forward devices over the networksuch as hard disk, web cams, barcode readers, and pen drives from local to remote desktops andvice-versa.

Disabling USB ForwardingTo forbid USB device sharing it is necessary to uncomment and set a proper value for theEnableUSBSharing key in the node configuration file:client USB devices on the client can be forwarded to server side and made available within thesession.server USB devices on the server can be connected to the end-user's machine.both Client and server USB devices can be connected to remote and local sides respectively.none Neither client or server USB devices can be connected.

For example, to avoid that users can forward a USB devices from the server to its own machine, setin the node configuration:EnableUSBSharing client

13.5. Network Ports



N°: D-010_006-NMC-NTD



Amended:A

Page 56 of 61

NoMachine can create virtual network interfaces and establish a bridge between local and remotesides or vice-versa to provide transparent access to network resources.

This service allows access to any of the default network servers like Samba, CUPS, FTP, SSH andTelnet or any other type, for example a MySQL server.

Connecting a Samba server allows access to resources on that server host via the SMB/CIFS protocol.Connecting a local CUPS server to the remote side allows mounting of printers (local to the user) onthat remote CUPS subsystem so that files can be printed on the remote side via the IPP protocol.

Some typical examples of usage:Print to remote printers from the sessionIf you have a Linux or Mac machine you can add the local CUPS server via the player toolbar. Chooseto add a local server and select CUPS. In this way all printers that are available on your side will beavailable also on the server and you can print all your documents via the native CUPS (IPP) protocol.

Access a remote host not in your Network NeighborhoodIf the remote host has a Samba server, you can add it via the player toolbar. Choose to add a remoteserver and select Samba as server type. Once that Samba server is added, the remote host shows upin your local Network Neighborhood. You can then connect to remote folders via SMB/CIFS protocol asif that host was in your local network.

Make available a client side HTTP serverYou can add your local HTTP server via the player toolbar and make it available on the remote hostwhere your session is running. In this way you can develop and test your web application directlyinside the session, without the need for sharing or moving files from remote to local.

Connect to MySQL server behind a firewallYou can choose to add a remote server via the player toolbar. Select 'Custom' and specify MySQL andthe port for the MySQL server, by default 3306. Once done, you can connect to that MySQL server viathe MySQL client installed on your PC.

Disabling Network Port ForwardingTo forbid network server sharing it is necessary you uncomment and set a proper value for theEnableNetworkSharing key in the node configuration file: client Network servers on client side canbe connected and made available within the session. server Network server on the server side can be connected and made available on the end-user'smachine.both Network servers from client and server side can be connected to remote and local sidesrespectively.none Neither client or server side network servers can be connected.

For example, to forbid users from connecting their local ports to the server, set in the nodeconfiguration:EnableNetworkSharing server

13.6. Smartcard Readers

When the smartcard reader plugged into the enduser's host is forwarded to the server host, thesmartcard authentication is made available inside the session. It can be integrated on with KerberosTicket system for example for implementing single sign-on (SSO).



N°: D-010_006-NMC-NTD



Amended:A

Page 57 of 61

Disabling Smartcard readers' ForwardingYou can enable or disable support for smarcard forwarding by uncommenting and setting theEnableSmartcardSharing key in the node configuration to 1 or 0 respectively.

To disable it set in node configuration file: EnableSmartcardSharing 0

13.7. Copy and Paste Operations

By default users can copy and paste from local to the session and vice-versa.

You can configure the server to limit such operations by setting proper values in the configuration fileas explained below.

Limiting copy & paste operationsTo forbid copy & paste partially or totally, uncomment and set a proper value for the EnableClipboardkey in the server configuration file:client Content copied on the user's side can be pasted inside the session.server Content copied inside the session can be pasted on the user's side.none No copy and paste operations are allowed.both Two-way copy and paste operations are allowed.

Limiting the Clipboard BufferBy default, the clipboard buffer is unlimited. If you want, for example, to limit the clipboard buffer to4MB, you have to uncomment and set the following key (value is espressed in bytes) in the nodeconfiguration file:ClipboardBufferLimit 4194304

13.8. Transferring Files

When a user is connected to the desktop, they have the possibility to transfer files by using theConnection Monitor tool from the system tray within the session. The user can transfer a file fromtheir own PC to the remote host where the session is running and vice-versa. If multiple users areconnected, each of them can send a file to a specific user or to all connected users. Drag and drop ofa file is also supported

You can manage file transferfrom the UIIn the Settings -> Server -> Security panel

or via node configuration.

Disabling File TransferTo forbid file transfer you have to uncomment and set a proper value for the EnableFileTransfer keyin the node configuration file:client Files can be transferred from client machine to the server.server Files can be sent from the server to clients.



N°: D-010_006-NMC-NTD



Amended:A

Page 58 of 61

both Client and server files can be transferred on remote and local respectively.none Neither client or server files can be transferred.

For example, to forbid users from transferring a file from the server to their PC:EnableFileTransfer client

14. Multimedia and Session Recording

14.1. Supporting Audio and Microphone

On Linux, NoMachine audio framework is integrated with PulseAudio sound server. If PulseAudio isnot available on the system, NoMachine is able to use ALSA (Advanced Linux Sound Architecture).This is automatically managed by the NoMachine server so that multimedia support can work out ofthe box without the need for any configuration. If both PulseAudio and Alsa are available, theadministrator might want to configure the node to use one or the other.

On Windows 10,8,7 and Vista NoMachine's audio system perfectly integrates with the Windows mediaframework. On XP instead, NoMachine relies on its own driver, the NoMachine Audio Adapter. Formicrophone support NoMachine always uses the NoMachine Microphone Adapter driver.

On Mac, NoMachine installs and uses its own virtual drivers to support audio and microphoneseamlessly.

Disabling or Setting Audio SupportTo disable audio and microphone support, uncomment and set the AudioInterface key to 'disabled' inthe node configuration file:AudioInterface disabled

On Linux it is possible to define whether PulseAudio Server or ALSA has to be used by settingAudioInterface key to 'pulseaudio' or 'alsa' respectively. For example: AudioInterface pulseaudio

Accepted values on Windows and Mac are instead 'nxaudio' or 'disabled'.

14.2. Recording your Screen

NoMachine permits to record in a video all activities made inside the session or on the desktop. Tostart the recording of the session, users should open the NoMachine menu inside the session(ctrl+alt+0) and click on the 'Recording' button icon to access the Recording panel. From this panelit's possible to open the recording bar, change audio and video quality and open the recording



N°: D-010_006-NMC-NTD



Amended:A

Page 59 of 61

directory to access all recorded files. Session recording is not available with sessions on the web.

To register activities made on the desktop, start the recording from the !M icon menu in the systemtray of the Enterprise Desktop host and show the Recording bar from there. Desktop activities can beregistered on the physical desktop without the need to be connected by NoMachine.

Recorded files are saved by default in WebM format and can be played back directly with NoMachineor any other player supporting that format. Video streams can be encoded only with VP8 or H.264when supported. Recorded files are saved by default on the user's device in the NoMachine directoryunder the 'Documents' directory.

Disabling session recordingTo prevent users from recording their session activities, edit the node configuration to set: EnableSessionRecording 0

Disabling desktop recordingTo prevent users from recording desktop activities, even when physically logged into the EnterpriseDesktop host, edit the node configuration to set: EnableLocalRecording 0

14.3. Automatic Screen Recording

The automatic recording of the session at session startup is disabled by default.

To enable it on Linux and macOS, execute in a terminal:

sudo /etc/NX/nxserver --recording yes

on Windows, open a CMD console as administrator and execute:

cd C:\Program files (x86)\NoMachine\bin\ nxserver --recording yes

TIP

You can also define the percentage of session to be recorded by specifying the '--percentagePERCENTAGE' parameter or activate the recording for a specific user only or group of users bymeans respectively of: '--user ' and '--group '.

15. Automatic Updates



N°: D-010_006-NMC-NTD



Amended:A

Page 60 of 61

The Enterprise Desktop, as well as the other NoMachine client and server products, periodicallychecks NoMachine repositories (by default every two days) to verify if updates are available and willprompt a dialog informing the user that a new version is available.

It will never automatically update the current installation. Also the download in background of a newsoftware version will not lead to an automatic update of the current installation.

A separate guide, available at: https://www.nomachine.com/all-documents deals specifically with allthe possible options for the automatic software updates.

16. Logging Facilities

To retrieve logs by using the NoMachine tools, please refer to guides available in the Configurationsection at: https://www.nomachine.com/all-documents.

TIP

When debug mode is enabled, server logs may increase consistently. It's suggested to keep debuglevel only for the time necessary to reproduce the problem and collect logs.

17. Setting-up a Centralized Access to Multiple Enterprise DesktopServers

If you own multiple installations of Enterprise Desktop, you may need to provide a single point ofaccess to all of these servers. This can be done by installing NoMachine Cloud Server on a dedicatedhost and add each Enterprise Desktop to it.

In this way, users will connect to the hostname/IP of the Cloud Server and will be redirected to theappropriate Enterprise Desktop or, depending on the Cloud Server configuration, will be able tochoose it manually.

You may also configure the NoMachine centralized infrastructure to make each Enterprise Desktop toaccept or refuse direct connections to its host.

To grant high available access to this centralized system, it's possible to add a second Cloud Serverto the first one and set-up a failover cluster.

Refer to the following article for more details about the Cloud Server multi-server environment,included instructions to set-it up and FAQs: https://www.nomachine.com/AR05R01088



N°: D-010_006-NMC-NTD



Amended:A

Page 61 of 61



https://88.207.207.59:11500/AR05R01088