On Friday 8. March 2013 13.29.17 Brian Hinz wrote: > On Fri, Mar 8, 2013 at 11:36 AM, Dragseth Roy Einar <roy.drags...@uit.no>wrote: > > We're in the process of establishing an open remote desktop service for > > the > > users of our HPC-cluster. The plan is to provide an unrestricted vnc > > access > > to the login screen (using xdm) and require TLSnone as encryption for all > > connections. So, my question to the forum is: Do anyone have experience > > in > > running such a service in a production environment? Are there any > > pitfalls we > > should be aware of? > > I've been doing this for a similar environment for several years now. In > our case, we have about 40 login servers that are all individually > accessible. I created a perl daemon that runs on each server, listening on > tcp/5900 and offers only the Ident SecurityType (which AFAIK is only > supported by the TigerVNC and TurboVNC java clients). This allows the > daemon to identify the client user and then sends a ClientRedirect message > to the viewer with the address of the user's existing or newly spawned Xvnc > session. It's not very sophisticated, but it gets the job done. > > > Yes, I'm aware that we will be exposing the xdm login screen to the whole > > world, but we're currently allowing this for ssh login so in principle > > we're > > already having our jewels hanging out there... > > We do the same except that the cluster is not publicly accessible. > > > If we can pull this off we will be able to improve our service level by > > offering > > a simple linux desktop (XFCE) to our users without requiring anything from > > their side than a java-enabled web browser. > > Java WebStart can also be used to serve the jar file so that it can be used > more like a native application. Personally, I prefer this because it > decouples the client from the browser and allows client updates to be > managed transparently. > > > In the test setup we have 16 login servers behind a NAT firewall and a > > simple > > web frontend that hands out the vncviewer jar and picks a random server > > among > > the 16. I can even run sophisticated 3D molecular modelling software from > > my > > dirt cheap android tablet (using the bVNC app). > > One problem that my approach has is that there is nothing preventing people > from starting sessions on multiple machines, so this tends to happen and > then they can't understand why firefox says that there's another instance > running, etc. It would be nice to have a portal-type application that > could provide a single point of entry which displays any current sessions > for the whole cluster and gives the option of selecting one of those or > creating a new session. > > Also, DRC mentioned something on the TurboVNC list the other day about one > of his customer's possibly open sourcing their portal app. Not sure about > any details yet, maybe he can weigh in. > > -brian
Thanks to all for the quick and insightful responses. As goes for TurboVNC vs TigerVNC, I was under the impression that they would merge. Is this not the case? I took a quick stab at using TurboVNC, but could not make it work with xinetd as TigerVNC do. (But that probably belongs to the TurboVNC list) It might make sense to use TurboVNC as we plan to augment this service with VirtualGL for the users that need to use more demanding 3D applications. We do not intend to support persistent sessions (at least in the first incarnation) so sessions terminate as soon as a client disconnect. -- r. ------------------------------------------------------------------------------ Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the endpoint security space. For insight on selecting the right partner to tackle endpoint security challenges, access the full report. http://p.sf.net/sfu/symantec-dev2dev _______________________________________________ Tigervnc-users mailing list Tigervnc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tigervnc-users
