HOB MacGate Administration Guide
Transcription
HOB MacGate Administration Guide
Administration Guide HOB MacGate Software version: 1.5 Issue: December 2014 HOB MacGate Software and Documentation - Legal Notice Contact: HOB GmbH & Co. KG Schwadermuehlstr. 3 90556 Cadolzburg Germany Represented by: Klaus Brandstätter, Zoran Adamovic Phone: + 49 9103 715 0 Fax: + 49 9103 715 271 E-mail: [email protected] Register of Companies: Entered in the Registry of Companies, Registry Court: Amtsgericht Fürth, Registration Number: HRA 5180 Tax ID: Sales Tax Identification Number according to Section 27a Sales Tax Act: DE 132 747 002 Responsible for content according to Section 55 Paragraph 2 Interstate Broadcasting Agreement: Klaus Brandstätter, Zoran Adamovic, Schwadermuehlstr. 3, 90556 Cadolzburg, Germany. Disclaimer All rights are reserved. Reproduction of editorial or pictorial contents without express permission is prohibited. HOB MacGate software and documentation have been tested and reviewed. Nevertheless, HOB will not be liable for any loss or damage whatsoever arising from the use of any information or particulars in, or any error in, or omission from this document. All information in this document is subject to change without notice, and does not represent a commitment on the part of HOB. Liability for content The contents of this publication were created with great care and diligence. While we keep it as up-to-date as practicable, we cannot take any responsibility for the accuracy and completeness of the contents of this publication. As a service provider we are responsible for our own content in this publication under the general laws according to Section 7 paragraph 1 of the TMG. According to Chapters 8 to 10 of the TMG we are not obliged as a service provider to monitor transmitted or stored information not created by us, or to investigate circumstances that indicate illegal activity. Obligations to remove or block the use of information under the general laws remain unaffected. Liability is only possible however from the date of a specific infringement being made known to us. Upon notification of such violations, the content will be removed immediately. Liability for links This publication may contain links to external websites over which we have no control. Therefore we cannot accept any responsibility for their content. The respective provider or operator of the website pages to which there are links is always responsible for the content of the linked pages. The linked sites were checked at the time of linking for possible violations of the law. At the time the link was created in this publication, no illegal or harmful contents had been identified. A continuous and on-going examination of the linked pages is unreasonable without concrete evidence of a violation. Upon notification of any violations, such links will be removed immediately. Copyright The contents and works on these pages created by the author are subject to German copyright law. Reproducing, copying, modifying, adapting, distributing or any kind of exploiting of this material outside the realms of copyright require the prior written consent of the respective author or creator. The downloading of, and making copies of, these materials is only permitted for the intended use. Where contents of this publication have not been created by the author, the copyright of the third parties responsible for these contents shall be upheld. In particular any contents created by a third party are marked as such. If you become aware of any copyright infringement within this publication, we kindly ask to be provided with this information. Upon notification of any such violation, the concerned content will be removed immediately. Trademarks Microsoft Windows is a trademark of Microsoft Corporation. Linux® is the registered trademark of Linux Torvalds in the U.S. and other countries. Mac OS and Apple are trademarks of Apple Inc., registered in the U.S. and other countries. Oracle and Java are registered trademarks of Oracle and/or its affiliates. All other product names, company names and service names may be trademarks, registered trademarks or service marks of their respective corporations or owners, even if they are not specifically marked as such. Issued: December 15, 2014 2 Security Solutions by HOB Purpose of this Guide This guide is designed to provide system administrators with detailed information concerning HOB MacGate and to help them decide where and when this product can be most effectively deployed in their enterprise network. This documentation contains descriptions of numerous possible scenarios and explains required conditions. The procedures for configuring the individual software components are documented in detail with step-by-step instructions. Symbols and Conventions This guide uses certain conventions and abbreviations which are explained here: This symbol indicates useful tips that can make your work easier. This symbol indicates additional informative text. This symbol indicates an important tip or procedure that may have far-reaching effects. Please consider carefully the consequences of any changes and settings you make here. References to program commands, options and buttons are printed in Bold, for example: select the command Open. Cross-references to section headings and figures with numbers are marked in color as follows: Section 5 Information and Support. File names and text to be entered by the user are printed in Courier New. This input is – unless otherwise mentioned - case sensitive. In this documentation, HOB-specific terminology is abbreviated as follows: HOB-specific Terminology Abbreviation HOB WebSecureProxy HOB WSP HOBLink Java Windows Terminal HOBLink JWT HOB Remote Desktop Virtual Private Network HOB RD VPN Security Solutions by HOB 3 4 Security Solutions by HOB Contents 1 2 3 4 Introducing HOB MacGate 1.1 Features of HOB MacGate ............................................................................. 7 1.2 HOB MacGate running as a Daemon............................................................. 8 Installation 9 2.1 System Requirements .................................................................................... 9 2.2 Installing HOB MacGate ................................................................................. 9 Configuring HOB MacGate 11 3.1 Status Window.............................................................................................. 11 3.2 Connection Tab ............................................................................................ 12 3.3 Printing Tab .................................................................................................. 14 3.4 Access Tab................................................................................................... 16 3.5 Others Tab.................................................................................................... 17 Configuring HOBLink JWT 4.1 5 7 21 Configuring the Connection with HOBLink JWT........................................... 21 Combining HOB MacGate with HOB RD VPN 23 5.1 Configuring HOB MacGate to Work with HOB RD VPN............................... 23 5.2 Configuring a HOBLink JWT Session........................................................... 23 5.3 Configuring HOB WebSecureProxy ............................................................. 25 5.4 Configuring HOB RD VPN Desktop-on-Demand.......................................... 27 6 Configuring Microsoft Remote Desktop Connection 31 7 Printing with HOB MacGate 33 8 9 7.1 Enabling Printing in the Client Session......................................................... 33 7.2 Enabling Printing in HOB MacGate .............................................................. 34 7.3 Choosing the Correct Printer Driver ............................................................. 34 Troubleshooting 37 8.1 The RDP Session Cannot Connect .............................................................. 37 8.2 The RDP Session Reports an Error ............................................................. 37 8.3 Consulting the Logfile for Errors ................................................................... 39 Starting and Stopping HOB MacGate 9.1 41 Starting and Stopping HOB MacGate Using System Preferences ............... 41 10 Uninstalling HOB MacGate 43 11 Supplementary Information 45 Security Solutions by HOB 5 11.1 Limitations ..................................................................................................... 45 11.2 Known Issues................................................................................................ 45 12 Information and Support 6 47 Security Solutions by HOB HOB MacGate 1 Introducing HOB MacGate Introducing HOB MacGate HOB MacGate is the perfect software for remote access to your Mac – anywhere and anytime. It provides you with access to all centrally stored data and applications on your Mac. Since the complete GUI is transferred, you can work as comfortably and productively as if you were sitting directly in front of your Mac. HOB MacGate can be used from your favorite end device: a Mac, a Windows PC or a Linux PC. As connectivity software on the end device, you can use either the proprietary RDP client HOBLink JWT or the Microsoft Remote Desktop Client (RDC). However, to obtain best performance, HOB strongly recommends using HOBLink JWT or HOBLink iWT. With HOB MacGate your comfort and work efficiency are improved. An Internet or LAN connection is sufficient. There is no need to carry around multiple devices when all of your data and applications can be accessed through a single device. This gives you the freedom to create flexible and mobile workplaces with enhanced productivity potential. HOB MacGate is very easy to use. You simply install and configure HOB MacGate on the Mac that you would like to access. It will then continue to run as a background process. The major advantage: there is no need for installation, administration rights or additional drivers on the end device. This makes using it so convenient. Furthermore, HOB MacGate can be used as an extension to HOB RD VPN (HOB Remote Desktop Virtual Private Network). HOB RD VPN is the HOB software solution providing secure SSL/TLS encrypted remote access to centrally stored data and applications. When used together, data transmission between the Mac and the remote end device is SSL-encrypted - for even higher security. Figure 1: Access a Mac Remotely from Any Client Platform 1.1 Features of HOB MacGate HOB MacGate includes the following features: Single user remote access to Mac desktops Print locally to printers connected to the client using applications installed on your Mac host Extendable printer database using PPD files Security Solutions by HOB 7 Introducing HOB MacGate 1.2 HOB MacGate Synchronization of remote and local monitor resolution – the chosen display on the monitor of one machine is matched on the other On session startup from client to server During session only from server to client Copy and paste of text between remote session and local session Ability to disable clipboard from the Mac OS side International keyboard support Use the keyboard layout of the client (client-oriented) Use the keyboard layout of the Mac (server-oriented) User and group permissions to access HOB MacGate Hidden screen mode Locked screen mode – run your redirected session in the background Mouse pointer image synchronization between the two machines Configurable server port Configurable terminal server security levels Installer package in English and German Login screen redirection HOB MacGate running as a Daemon HOB MacGate runs on your Mac as a daemon under Mac OS X. A daemon (disk and execution monitor) is a computer program that runs invisibly in the background rather than under the direct control of a user. Daemons are usually initiated as background processes, so once HOB MacGate is installed it runs permanently and does not need be individually started. It can of course be configured as desired, as often and at any time you wish to suit your changing needs. 8 Security Solutions by HOB HOB MacGate 2 Installation 2.1 System Requirements Installation Although HOB MacGate is a relatively small software package, failure to deploy it on suitable hardware can result in poor performance. Make sure that your system meets these requirements. The HOB MacGate software only needs to be installed on the Mac side, with your preferred RDP software on the client side. Once configuration is completed, the Mac and PC environments are fully integrated. Mac System The required operating system is Mac OS X 10.7 (Lion edition) or later (until MAC OS X 10.10 Yosemite edition). HOB recommends using hardware with a CPU of at least 1.83 GHz and 2 GB RAM. Client System An additional component is necessary on the remote client side. HOB recommends using either HOBLink JWT, the HOB Java terminal server client component, HOBLink iWT or HOB RD VPN the HOB secure remote desktop solution. The Microsoft RDP client, Microsoft Remote Desktop Connection, is also supported. Memory Requirements The following information refers to a typical installation and is only approximate. The actual values depend on the OS being used. The installation requires a minimum of 400 MB hard disk space on the Mac. 2.2 Installing HOB MacGate HOB MacGate 1.5 is delivered as a disk image (.dmg) file. 1. Copy the file HOB MacGate 1.5.dmg to the Mac desktop. 2. Double-click the disk image to open it. The image loads as a new volume on your desktop. This new volume is named HOB MacGate 1.5. 3. Click the HOB MacGate 1.5 volume to display its contents. 4. Double-click the file HOB MacGate.pkg, which starts the installation program. It also includes a .pdf version of the HOB MacGate Administration Guide and an uninstaller. The HOB MacGate Administration Guide can be accessed by following the file, /Library/Documentation/HOB/MacGate/HOB MacGate Administration Guide.pdf and is also accessible to all users under: /Users/Shared/HOB/MacGate. Security Solutions by HOB 9 Installation HOB MacGate Figure 2: HOB MacGate Installer 5. The HOB MacGate installer guides you through the installation process. Click Continue after each step. Once the installation is complete, HOB MacGate starts. Once you have entered the serial number (see Section 3.2 Connection Tab on page 12), you can connect from your RDP client. 10 Security Solutions by HOB HOB MacGate 3 Configuring HOB MacGate Configuring HOB MacGate For HOB MacGate to run, it must be properly configured on the Mac and on the client side. HOB recommends taking time to carefully read through these instructions in order to ensure an optimal installation. To configure HOB MacGate: 1. Open System Preferences. Figure 3: System Preferences 2. 3.1 Click the HOB MacGate icon under Other. Status Window Upon starting HOB MacGate, the status window is displayed. Figure 4: Status Window The currently installed version of HOB MacGate is shown. The status window always stays open in the background. You can also disconnect an active remote session or open the preferences to display the following tabs: Connection Tab – see Section 3.2 Connection Tab on page 12. Printing Tab – see Section 3.3 Printing Tab on page 14. Security Solutions by HOB 11 Configuring HOB MacGate 3.2 HOB MacGate Access Tab – see Section 3.4 Access Tab on page 16. Others Tab – see Section 3.5 Others Tab on page 17. Connection Tab The Connection tab controls how the connection between the client machine and your Mac is set up. It also indicates the current status of the HOB MacGate program with a small colored button and the words On or Off that show if it is currently running (see the figure below). Any changes made here take effect when the lock or the panel is closed unless otherwise specified. Figure 5: Connection Tab The following information on licensing can be seen and managed here: Manage Licensing Click Manage Licensing to display the following dialog, where you enter your serial number (for example, 1-1234567ABCDEFG) Figure 6: Serial Number Enter the serial number delivered with HOB MacGate here and click OK. 12 Security Solutions by HOB HOB MacGate Configuring HOB MacGate The serial number given to you contains a hyphen. All characters before the hyphen must be entered in the Serial field. All characters after the hyphen must go in the Key field. 1-1234567ABCDEFG is how the serial number in Figure 6 on page 12 looks. The following settings can be configured on the Connection Tab screen (see Figure 5 on page 12): Connection Settings Port – the port used to access HOB MacGate. Enter a port number. The default is 3389. This port number and the IP address of the Mac constitutes the target for the RDP client configuration. HOB MacGate must be restarted using the Restart button on the Connection Tab screen for the settings to take effect. Security Level – your data can be protected by encrypting it on the communications link between the client and the Mac. Encryption protects against the risk of unauthorized interception of transmitted data. By default, remote desktop sessions are encrypted at the highest level of security available (128-bit). However, some older versions of Terminal Services Client software do not support such a high level of encryption. If your network contains such legacy clients, set the encryption level of the connection to send and receive data at the highest encryption level supported by the client. Low This level (40- or 56-bit, RC4) of the data from the client to the server should only be used if other additional encryption protects your data, for example if you are using HOB RD VPN. For even stronger encryption, HOB RD VPN can be used in combination with HOB MacGate. See Section 5 Combining HOB MacGate with HOB RD VPN on page 23 for more information. Client compatible This level encrypts data sent between the client and the remote computer at the maximum key strength supported by the client. Use this level if your client computer does not support 128-bit encryption. High This level encrypts data sent from the client to the remote computer and from the remote computer to the client using 128-bit encryption. Use this level only if you are sure that your client supports 128-bit encryption (if it is running Windows XP Professional, for example). Clients that do not support this level of encryption are not able to connect. Disable HOB MacGate – when this checkbox is enabled, HOB MacGate is off and will not accept connection requests from any client machine until it is enabled. The only way HOB MacGate can be enabled again is by disabling this checkbox. When HOB MacGate is disabled, the current status will be off. Security Solutions by HOB 13 Configuring HOB MacGate 3.3 HOB MacGate Restart – click Restart to restart HOB MacGate after it has been stopped via the Stop button. This button can also be used to make changes take effect. Stop – click Stop to temporarily stop HOB MacGate. When the system is restarted, HOB MacGate will be on again. Clicking Restart will also turn HOB MacGate back on. Printing Tab The Printing tab allows you to configure printing locally on the remote session from applications installed on your Mac Host. For more information on these settings, see Section 7 Printing with HOB MacGate on page 33 or click the help button in the bottom right corner of the screen below Any changes made here take effect when the lock or the panel is closed unless otherwise specified. Figure 7: Printing Tab Select the Enable printing checkbox to enable printing in HOB MacGate. Make sure that the Use IPP (Internet Printing Protocol) checkbox is selected. This protocol is used by HOB MacGate for printing via your connected local machine. The Use LPD (Line Printer Daemon Protocol) checkbox can also be used instead of IPP. Due to its limited functionality, it is recommended that this only be selected when IPP is not an option. The same queue name format must be used for both LPD and IPP printing. This is the name of the printer queue that is automatically created when printers are mapped to the Mac. 14 Security Solutions by HOB HOB MacGate Configuring HOB MacGate The queue name may consist of the following variables: #Owner – this is the name of the machine accessing HOB MacGate as well as the owner of the printer. #PrnName – this is the printer name of the printer used in the remote session. #DriverName – this is the name of the driver used in the remote session for that printer. Click the Configure Drivers button (see Figure 7 on page 14) to add another printer. The following dialog is displayed. Figure 8: Configure Drivers Clicking Remove on the Configure Drivers screen will temporarily delete the makes and models from the provided list of Printer Details. Click Cancel and then return to this screen to restore the full list. Select the Add button to add a printer. The following dialog appears. Figure 9: Add Dialog Select the make and enter the model. You can also select New PPD file and browse your system or select Already installed PPD to use a previously installed driver. Security Solutions by HOB 15 Configuring HOB MacGate 3.4 HOB MacGate Access Tab This tab allows you to configure the specific groups and users that will be able to access the Mac OS using HOB MacGate. Any changes made here take effect when the lock or the panel is closed unless otherwise specified. Figure 10: Access Tab To allow only specified users access to HOB MacGate, select the Allow access for the following users & groups option. This enables you to select users and groups from the list on the left and move them to the allowed access list on the right. To add a user or group, select the user or group from the list on the left and then click the > symbol. To delete a user or a group from the allowed access list click the < symbol. The list under the Users & Groups tab shows all available local users and groups associated with the Mac OS. Network users and network groups lists will be displayed under the tabs Network Groups or Network Users. Connect your Mac to a network account server to view the Network Users and Network Groups lists. To save time, users can also be added by entering the user name into the User name field and selecting the > symbol. Make sure you do not remove your own user account when configuring the allowed access list within a HOB MacGate session. 16 Security Solutions by HOB HOB MacGate 3.5 Configuring HOB MacGate Others Tab This tab contains configuration settings that make it easier to monitor how HOB MacGate is working. Any changes made to the HOB MacGate tabs take effect when the lock or the panel is closed unless otherwise specified. Figure 11: Others Tab Enable extended logging Messages from HOB MacGate are automatically written to the log contained in the folder /Library/Logs/HOB. The log can be displayed with the console program contained in the utilities folder of your Mac. For diagnostic purposes, you can enable the Enable extended logging checkbox to log even more details about your work. However, this results in more computing capacity being used, which can slow down your computer. HOB therefore recommends that this checkbox be disabled. Use client-oriented keyboard mapping Enable this checkbox to have keyboard controls like on a Mac system on your client system. For example, the “~” symbol can be created with the key combination “SHIFT + <” on Mac and with “SHIFT + `” on Windows. This is only valid for a keyboard with the U.S. layout. Disable clipboard Enable this option if you do not want to share data from your Mac clipboard with the client system clipboard. Mirror display Enable this option when using two monitors to display the same session on both. Security Solutions by HOB 17 Configuring HOB MacGate HOB MacGate When Mirror display is enabled and you are using monitors of different size, the HOB MacGate session appears the size of the smaller screen. To avoid a smaller display than desired, open the HOB MacGate session in the monitor that displays the bar menu. To do so, open System Preferences > Displays > Arrangement and drag the bar menu to the screen preferred. When Mirror display is disabled, all screens except for the main monitor are disabled and are no longer a limiting factor. Force automatic login of the client Enable this checkbox to have the user sign on via the client before accessing the Mac logon screen. If a user is logged on to the console of the Mac that has HOB MacGate installed on it then this will automatically be the case. Logout when disconnected after Enable this checkbox to automatically log the user out whenever the remote connection is disconnected. This includes voluntary disconnections and any potential system crash or loss of signal. Applications that were in use prior to the disconnection will be closed. This option can be used in combination with Lock when disconnected after. Enter the number of units and then select the seconds, minutes, hours or days before the logout is executed following a disconnection. The default (0 seconds) is recommended here for security reasons. Data loss can occur in applications running in the session when using this feature. This is a result of the logout operation initiated by HOB MacGate. Lock when disconnected after Enable this checkbox to automatically lock the session whenever the remote connection is disconnected. This includes voluntary disconnections and any potential system crash or loss of signal. This option can be used in combination with Logout when disconnected after. Enter the number of units and then select the seconds, minutes, hours or days before the logout is executed following a disconnection. If Lock session under Local display options has been selected, this option will appear gray and cannot be selected as they have the same function in this situation. 18 Security Solutions by HOB HOB MacGate Configuring HOB MacGate Local display options The following options are for the local display while a remote session is being used. Lock session This is the default selection. When this option is selected, the log on screen is visible on the local Mac display while the HOB MacGate session runs in the background. Some OpenGL-related applications do not run in background mode. It is recommended to select Disable monitor to hide session instead. Disable monitor to hide session Select this option to disable the monitor on the remote Mac display. The monitor of the remote Mac where HOB MacGate is installed will appear to be off. The session will run in foreground mode; however, the monitor is deactivated and local mouse and keyboard input is blocked. Show session If this option is selected, the HOB MacGate session is visible on the remote Mac display as well as the local display. This can be helpful when assistance in the remote session is needed. If Show session has been selected then Logout when disconnected after can be used to provide higher security in the event the connection is interrupted. Security Solutions by HOB 19 Configuring HOB MacGate 20 HOB MacGate Security Solutions by HOB HOB MacGate 4 Configuring HOBLink JWT Configuring HOBLink JWT When the installation and configuration on the Mac are complete, the connection to the client (e.g. Windows PC) must be configured. Configuring with HOBLink JWT is described in this section; however, Microsoft RDP client software is also suitable. In this case, refer to the appropriate client software with regards to configuration but use the settings as described below. Once these steps have been completed, HOBLink JWT can connect to the Mac to display the desktop. 4.1 Configuring the Connection with HOBLink JWT 1. Go to the Start menu and open HOBLink JWT Session Center. 2. Right-click the session to be configured and select Edit…. 3. Select the Connection scheme. Figure 12: Connection Scheme 4. For Connection type, select Direct. This sets up the client to communicate directly with the server and not go through other proxies. 5. Disable the Choose RD server at runtime checkbox. This is to make sure that the Mac running HOB MacGate is selected as the desired server. 6. For RD server, enter the IP address or the host name of the Mac to be connected to (e.g. Companyserver1). All servers have names in these two forms by which they are identified on the network. Either can be used here. Security Solutions by HOB 21 Configuring HOBLink JWT 7. HOB MacGate For Port, enter the number of the port to be used for the connection. The default port number is 3389. If you have entered a different port number in the HOB MacGate configuration (see Section 3 Configuring HOB MacGate on page 11), then that port number must be entered here. The connection is now configured. If you click Close now, the HOBLink JWT Session Editor closes and must be reopened to continue. 8. Click Close to apply the settings and to close the HOBLink JWT Session Editor. The connection is configured and HOBLink JWT can connect to the Mac desktop. 9. You can enable the Use Wake-on-LAN checkbox to allow the client to wake up the Mac host. This will only work if the Wake for Ethernet network access in the Energy Saver option of the System Preferences on the Mac host (see Figure 3 on page 11) has been selected. The address of the Mac OX S desktop must be entered into the space provided for Mac Address. Depending on some system configurations of the Mac host, Wake-on-LAN may not always function properly. For more information regarding HOBLink JWT, see the HOBLink JWT administration guide. 22 Security Solutions by HOB HOB MacGate 5 Combining HOB MacGate with HOB RD VPN Combining HOB MacGate with HOB RD VPN HOB MacGate can be combined with HOB RD VPN to offer a high performance solution for secure remote access to the applications and data in the Mac network. The steps described in this section enable RDP communication to take place between the two computers. The HOB WebSecureProxy (HOB WSP) component of HOB RD VPN is used for this purpose. This is the secure system proxy that transmits and receives data between the machines in the network. HOB RD VPN Desktop-on-Demand can also be used. 5.1 Configuring HOB MacGate to Work with HOB RD VPN No extra configuration of HOB MacGate is required to communicate with HOB RD VPN. Please refer to Section 3 Configuring HOB MacGate on page 11 for all necessary configuration information. 5.2 Configuring a HOBLink JWT Session The client side software (HOBLink JWT) needs to be configured so that it recognizes the new Mac that it is connected to. Configuring the Connection with HOB RD VPN 1. Start a browser and go to the HOB RD VPN Administration via https://rdvpn.example.com. 2. Log on with a Domain Administration account. 3. Open the HOB EA Administration. Regarding where to find the HOB EA Administration, see the HOB RD VPN Administration Guide. Figure 13: Opening HOBLink JWT Session Configuration Security Solutions by HOB 23 Combining HOB MacGate with HOB RD VPN HOB MacGate 4. Select the element of the hierarchy to create a connection for (users, groups, etc.) and select > > Sessions > HOBLink J-Term/JWT > Configure. You can also right-click an element and then select Configure > Sessions > HOBLink J-Term/JWT. 5. The HOBLink JWT Administration is displayed. Select the item Schemes in the organizational tree. Figure 14: Connection Tab 6. Now select Connection and click New to open the configuration of a new connection. 7. Enter an appropriate Scheme Name for the connection to HOB MacGate, such as MacGate. This should be a name consistent with the sessions you will run once the program is fully configured. 8. For Connection Type, select Direct. This sets up the client to communicate directly with the server and not go through other proxies. 9. Disable the Choose Terminal Server at runtime checkbox. This is to make sure that the Mac running HOB MacGate is selected as the desired server. 10. For Terminal Server, enter the IP address or the host name of the Mac to be connected to (e.g. Companyserver1). 11. For Port, enter the number of the port to be used for the connection. The default is 3389. If you have entered a different port number in the HOB MacGate configuration (see Section Section 3 Configuring HOB MacGate on page 11), then that port number must be entered here. 12. Under WSP Server in case of HOB RD VPN, enter the name of the server to connect to and leave the Prompt user when connecting checkbox disabled. 24 Security Solutions by HOB HOB MacGate Combining HOB MacGate with HOB RD VPN If you are using HOB WebSecureProxy (see Section 5.3 Configuring HOB WebSecureProxy on page 25), the Server Name needs to be the same as the name that will be entered after Name on the Server List tab (see Figure 17 on page 26). 13. The Proxy configuration should be configured only if your network requires http proxies in order to connect to the Mac. 14. Click Close to apply the settings and close HOBLink JWT Session Editor. The connection is now configured and HOBLink JWT can connect to the Mac. 5.3 Configuring HOB WebSecureProxy When using HOB MacGate with HOB RD VPN, the HOB WebSecureProxy needs to be configured to allow RDP communications. To do so, proceed as follows: 1. Start a browser and go to HOB RD VPN Administration via https:// rdvpn.example.com:10000 and log on with your Global Administration account. Note that example in the browser address above needs to be replaced with the name of the server where HOB RD VPN is installed. 2. Start the EA Administration and open the HOB WebSecureProxy configuration. The following screen is displayed. Figure 15: HOB RD VPN WebSecureProxy 3. Select Outgoing Connections > Other Targets > Add to add a server to the server list. The Server List screen is displayed. Security Solutions by HOB 25 Combining HOB MacGate with HOB RD VPN HOB MacGate Figure 16: Server List 4. Enter a name for the server (e.g. MacGate) and then click Add. Figure 17: Server Configuration 26 5. The Mode must be 1:1 Proxy Gateway. This sets up direct one-to-one communication with the server. 6. Under Predefined protocol, select RDP Windows Terminal Server - HOB EXT-1. This is a default protocol created to ensure that HOBLink JWT connects correctly to HOB MacGate. 7. For Host IP Address, enter the IP address or host name of the Mac to be connected to (e.g. Companyserver1). 8. For Host port, enter the port number used for the connection to the Mac (default: 3389). If you have entered a different port number in the HOB MacGate configuration (see Section 3 Configuring HOB MacGate on page 11), then that port number must be entered here. Security Solutions by HOB HOB MacGate 9. Combining HOB MacGate with HOB RD VPN Click File > Save and exit the HOB WebSecureProxy configuration. There is no need to restart HOB RD VPN. The changes will take effect automatically. How long this takes depends on the power of your HOB RD VPN computer and the configuration. 5.4 Configuring HOB RD VPN Desktop-on-Demand For the HOB RD VPN Desktop-on-Demand configuration, two sides need to be configured: the HOB RD VPN side and the HOBLink JWT side. The following sections describe the necessary configuration steps. 5.4.1 HOB RD VPN Configuration 1. To enable the Wake-on-LAN function, open HOB EA Administration. 2. Select HOB RD VPN > User Settings > Configure (see Figure 13 on page 23). 3. Select Desktop on Demand from the list on the left (see Figure 18 on page 27). Follow the dialog to RD VPN 2.1 and then User Settings. Figure 18: HOB RD VPN Desktop-on-Demand 4. Select Desktop On Demand and then select Add. Security Solutions by HOB 27 Combining HOB MacGate with HOB RD VPN HOB MacGate Figure 19: Wake-on-LAN Configuration 5. Enter a name for the configuration. 6. Under Remote PC, enter the information for the remote computer: the host IP address, the optional MAC address of the remote desktop (by selecting Retrieve & Apply or by entering it manually) and the port number. Port 3389 is the default. 7. Under Delay (sec) enter the number of seconds the remote PC has to respond before the connection attempt will be cancelled. The default setting is 180. 8. Save by selecting the Save button. Depending on some system configurations of the Mac host, the Wake-on-LAN may not always function properly. Desktop-on-Demand can also be accessed by opening the HOB EA Administration page and selecting User Settings > Settings > DesktopOnDemand. 5.4.2 HOBLink JWT Configuration 28 1. Start a browser and go to the HOB RD VPN Administration via https:// rdvpn.example.com and log on with a Domain Administration account. 2. Open the HOB EA Administration. See the HOB RD VPN Administration Guide for where to find the HOB EA Administration. 3. Select the element to create a connection for (users, groups, etc.) and select > > Sessions > HOBLink J-Term/JWT > Configure. You can also right-click the element and then select Configure > Sessions > HOBLink J-Term/JWT. 4. Select Connection. The following screen is displayed. Security Solutions by HOB HOB MacGate Combining HOB MacGate with HOB RD VPN Figure 20: HOBLink JWT Administration 5. Select Schemes in the organization tree, select Connection and click New on the bottom left to configure a new connection. 6. Enter a Scheme Name for the new connection scheme, e.g. MacGate. This must be consistent with the naming convention used before. 7. Under Connection Type, select WebSecureProxy Socks Mode. This completes the connection configuration. 8. Open the HOB WSP tab. Figure 21: HOB WSP Tab Security Solutions by HOB 29 Combining HOB MacGate with HOB RD VPN 9. HOB MacGate Select the Prompt user when connecting checkbox.If more than one RDP server is available, the user will be able to choose which to use. If there is only one, the user will connect to it automatically. 10. Select Sessions and configure a new session to use the new connection scheme. Figure 22: Sessions Tab 11. Click Close to save the settings and close the HOBLink JWT Administration. 30 Security Solutions by HOB HOB MacGate 6 Configuring Microsoft Remote Desktop Connection Configuring Microsoft Remote Desktop Connection When using a standard RDP connection, the following entries will be required. Microsoft Remote Desktop Configuration is used as an example in this section. 1. From the Start menu, go to Apps > Windows Accessories > Remote Desktop Connection. Figure 23: Microsoft Remote Desktop Connection 2. Click Show Options to expand the screen. Figure 24: General Tab 3. Go to the Advanced tab and make sure that either Connect and don’t warn me or Warn me (default) is selected. Security Solutions by HOB 31 Configuring Microsoft Remote Desktop Connection HOB MacGate Figure 25: Advanced Tab 4. Return to the General tab and enter the IP address or the host name of the Mac in the Computer field. 5. Enter the User name of the Mac. 6. Click Connect to establish the connection. If you cannot connect, edit the remote desktop connection by saving the file, and editing this same file with an editor. A list will appear. Locate negotiate security layer:i:1. Now make sure that the last digit is a 1 and not 0. It is recommended to enable the Allow me to save credentials checkbox. This is necessary on some systems that require these credentials and without having them saved, the connection may fail. 32 Security Solutions by HOB HOB MacGate 7 Printing with HOB MacGate Printing with HOB MacGate With HOB MacGate, you can print via a printer configured to the client that is accessing HOB MacGate or via a printer configured to your Mac. As soon as a connection is made from your client to your Mac, the printers of the client that is connected to your Mac are automatically mapped to the Mac. Any application currently in use on the Mac can use the client printers. In order to be able to print locally from the client that is accessing HOB MacGate while using an application on your Mac, the connection needs to be enabled on both sides beforehand. The steps to enable local printing on the client computer that is accessing the Mac are described below. 7.1 Enabling Printing in the Client Session 1. Open the Start menu and select HOBLink JWT Session Center. 2. Right-click the session to enable printing for and select Edit…. 3. Select Printer from the organizational tree on the left. Figure 26: Printer Tab 4. Select the Standard Printer Port Mapping radio button. 5. Select Include All Local Printers to make all local printers available for use during your client session using Mac applications (recommended). If you are using Microsoft Remote Desktop Connection, go to the Local Resources tab and select the Printers checkbox under Local devices and resources. A similar procedure will be required for other RDP client software. Security Solutions by HOB 33 Printing with HOB MacGate HOB MacGate Figure 27: Local Resources Tab 7.2 Enabling Printing in HOB MacGate To access the HOB MacGate preferences, refer to Section 3 Configuring HOB MacGate on page 11. The steps to enable local printing in HOB MacGate can be found in more detail in Section 3.3 Printing Tab on page 14. 7.3 Choosing the Correct Printer Driver When the client session accessing HOB MacGate connects, the local printer (or printers) is mapped automatically to the Mac. To print correctly, HOB MacGate uses printer drivers in PostScript Printer Description (PPD) format. PPD files describe the entire set of features and capabilities available for their PostScript printers and contain the PostScript code (commands) used to invoke features for the print job. Thus, PPDs function as drivers for all PostScript printers by providing a unified interface for the printer's capabilities and features. HOB MacGate installs many PPDs for a large list of printers and searches this list to find the correct driver for your printer. If it cannot find the correct driver, it uses a default driver that may not work correctly with your printer. In the event that the default driver does not work, see Section 7.3.1. Adding a Printer Driver on page 35. To check which printer driver is suitable for your printer, go to the System Preferences of the connected Mac session and select Print & Fax (see Figure 3 on page 11). Then select the desired printer and read which Kind of printer it is. The specific name of the printer should be given here. If it is, the Mac has located the driver required and this printer will be able to be printed to. If it says Generic Post Script Printer, this is the Mac default printer driver. To use a specific printer driver, the relevant PPD file may need to be created or downloaded and added to those included in HOB MacGate. 34 Security Solutions by HOB HOB MacGate Printing with HOB MacGate 7.3.1. Adding a Printer Driver If a printer does not print correctly during the HOB MacGate session, it is highly likely that an incorrect printer driver is being used. To fix this problem, the correct PPD file for your printer needs to be installed. There are many ways to do this: Check your printer manufacturer’s website and download the correct PPD file. Go to http://www.openprinting.org/ and download the correct PPD file. If the printer manufacturer offers a printer driver installer for Mac OS X, the required PPD file might already be in the Mac directory: /etc/cups/ppd. Write your own PPD file. For more information, see http://www.adobe.com/ devnet/ or http://partners.adobe.com/public/developer/ps/index_specs.html. Once you have the correct PPD file, it needs to be added to HOB MacGate. To add the file: 1. Go to the Printing tab (see Figure 7 on page 14) in the HOB MacGate Preferences. 2. Select Configure Drivers and then select Add (see Figure 8 on page 15). Figure 28: Adding a Printer Driver 3. Select your printer. You can also choose Other… from the list and enter the make of the printer being used. Now enter the name of your local machine as the printer (and driver). The driver name you enter here must EXACTLY match the name of the PPD file in terms of characters and spaces, although it need not match for case sensitivity. This information may have to be entered manually. For more information, see Section 8.1 The RDP Session Cannot Connect on page 37. To check this name under Windows 8, for example, go to the Control Panel, select Devices and Printers, right-click the printer and go to Printer Properties. The Advanced tab shows the correct driver name. 4. Select the PPD file by selecting the New PPD file radio button and browsing your system or by selecting the Already installed PPD radio button to use a previously installed driver. 5. Click OK and restart HOB MacGate for the settings to take effect. Security Solutions by HOB 35 Printing with HOB MacGate HOB MacGate 7.3.2 Setting a Default Printer Driver If HOB MacGate cannot find the correct driver or if none are currently available, it uses the default driver. To view the currently configured default: 1. Go to the Printing tab of HOB MacGate Preferences. 2. Select Configure Drivers. 3. Select View Default. The PPD file name and printer are shown with a notification that this Driver is Default. Figure 29: Setting a Default Printer Driver If you would like to change the default (once you have made sure the correct PPD file has been installed, or you have just added it), then: 4. Select the Maker and Model of your printer driver. 5. Click Set as Default. 6. Restart HOB MacGate. HOB MacGate is ready to print as soon as the system restarts. 36 Security Solutions by HOB HOB MacGate 8 Troubleshooting Troubleshooting In the event that a connection cannot be established, see the information in the sections below in order to identify and fix the problem. 8.1 The RDP Session Cannot Connect 1. Make sure that the Mac IP address is accessible from (i.e. can be seen by) the client system. The best way is to use a ping command. If the client system does not find the Mac, check the network configuration of your system. 2. Check the system preferences for the HOB MacGate status to see if the program is running. Beside the program title, it should say On and show a small green icon. If it is not currently running (it says Off and shows a red icon), start the program again. If the program still does not start, check the logfiles for more information (see Section 8.3 Consulting the Logfile for Errors on page 39). 3. Check that the IP address and the port in the HOB MacGate configuration match those configured in the RDP session configuration. 4. If you are using Microsoft Remote Desktop Connection, ensure that Allow me to save credentials is enabled and that either Warn me or Connect and don’t warn me is selected (see Section 5 Combining HOB MacGate with HOB RD VPN on page 23). 5. Edit the remote desktop connection by saving the file, right-clicking it and opening it with a text editor. A list is displayed. Locate negotiate security layer:i:1. Make sure that the last digit is 1 and not 0. 6. On the System Preferences/Security/Firewall tab, check whether the firewall settings of the Mac allow incoming connections. 7. Should there be problems with printing, ensure that the name of the local printer driver is mapped properly by HOB MacGate. The name can be found in the Windows printer preferences. Go to Start > Devices and Printers, right-click the printer and select Printer properties. The name is displayed next to Model. The transmitted printer driver can be seen in the HOB MacGate logfiles. If there is still no connection, contact HOB Software Support (see Section 12 Information and Support on page 47). 8.2 The RDP Session Reports an Error User is not Authorized to Open a Session If one of the following screens indicating that the user does not have the correct authorization to use the HOB MacGate program is displayed, check the user name and password entered in the RDP session configuration. Security Solutions by HOB 37 Troubleshooting HOB MacGate Figure 30: User Not Authorized Error Or: Figure 31: Credentials Error If the user is authorized to open a session on this computer and one of these dialogs appears, this indicates the user is attempting to open a second session, which is not permitted. Make sure that only one RDP session is connected to the Mac. If an RDP session is currently connected, the following menu icon is displayed on the Mac desktop menu bar of the computer accessing the Mac OS. Figure 32: RDP Session Running Icon If this is the case, the first user must log off (end their session) before the second user attempting to connect can successfully do so. These dialogs will also be displayed if the configuration settings have not been correctly made. See Section 8.1 The RDP Session Cannot Connect on page 37 for more information. Remote Computer not Authenticated If the following error message is displayed when connecting, the setting Do not connect has been configured in the Remote Desktop Connection dialog on the Advanced tab - see Section 5 Combining HOB MacGate with HOB RD VPN on page 23. 38 Security Solutions by HOB HOB MacGate Troubleshooting Figure 33: Error Message 8.3 Consulting the Logfile for Errors To see if any errors have occurred in the background even though there is a connection up and running, consult the system Logfile. To open the logfile, open Applications/Utilities/Console to open a terminal window, and then enter /Library/Logs/HOB. For more information, you can consult the Extended Log (see Section 3 Configuring HOB MacGate on page 11). Security Solutions by HOB 39 Troubleshooting 40 HOB MacGate Security Solutions by HOB HOB MacGate 9 Starting and Stopping HOB MacGate Starting and Stopping HOB MacGate HOB MacGate consists of two processes (a daemon and a user agent) that are automatically started when the system boots up and when a user has logged in. These processes are: HOB MacGate Daemon: macgate HOB MacGate User Agent: macuserssn HOB MacGate may be started or stopped either through the system preferences or by using commands in the Terminal Window. 9.1 Starting and Stopping HOB MacGate Using System Preferences Open the system preferences on your computer and select HOB MacGate. Start or stop the HOB MacGate process by using the Restart and Start/Stop buttons at the bottom of the HOB MacGate Status Window (see Figure 4 on page 11). Security Solutions by HOB 41 Starting and Stopping HOB MacGate 42 HOB MacGate Security Solutions by HOB HOB MacGate Uninstalling HOB MacGate 10 Uninstalling HOB MacGate There are three ways to uninstall HOB MacGate. Choose from the following: Option 1 You can uninstall HOB MacGate by opening the HOB MacGate Uninstaller.pkg that was delivered with the software and by following the steps. Option 2 You can also uninstall HOB MacGate by opening the Finder and going to System/Library/CoreServices/HOBmacgate/HOB MacGate Uninstaller.pkg. Option 3 1. Open Terminal.app 2. Type the following file name in and execute: /System/Library/ CoreServices/HOBmacgate/mg_uninstall.sh 3. This following message will be displayed: "HOB MacGate uninstall script." "Press a key to continue or Ctrl+C to abort." "Continue?" 4. Upon success the following message is displayed: “HOB MacGate has been uninstalled successfully!” The script deletes itself on success. HOB MacGate is now uninstalled. Security Solutions by HOB 43 Uninstalling HOB MacGate 44 HOB MacGate Security Solutions by HOB HOB MacGate Supplementary Information 11 Supplementary Information This section provides information on limitations and known issues for HOB MacGate. 11.1 Limitations HOB MacGate 1.5 is the fifth published version and contains certain limitations that can be improved in future releases: Only one remote session (i.e. user) can connect to HOB MacGate at any time. When the Hide session on local screen mode is being used, applications using Open GL will be less graphically enhanced than if they were to be used locally on the Mac OS. HOB MacGate does not support all screen sizes possible in RDP sessions. The session will automatically be resized to one that is supported. The login screen is not redirected by HOB MacGate while a user session is active in the foreground. Therefore, it is necessary to authenticate to HOB MacGate using login in RDP. 11.2 Known Issues All known issues at the time of completion of this guide can be found on the following web page: http://www.hobsoft.com/support/macgate/macgate.jsp Security Solutions by HOB 45 Supplementary Information 46 HOB MacGate Security Solutions by HOB HOB MacGate Information and Support 12 Information and Support If you would like further information about HOB MacGate or if you need product support, please contact us at: U.S.A. and Canada General Enquiries: Phone: + 1 866 914 9970 Fax: + 49 9103 715 3299 E-mail: [email protected] Web: www.hobsoft.com Technical Support: Phone: + 1 866 914 9970 Fax: + 49 9103 715 3299 E-mail: [email protected] Germany General Enquiries: Phone: + 49 9103 715 0 Fax: + 49 9103 715 3271 E-mail: [email protected] Web: www.hob.de Technical Support: Phone: + 49 9103 715 3161 Fax: + 49 9103 715 3299 E-mail: [email protected] Other Countries General Enquiries: Phone: + 49 9103 715 3103 Fax: + 49 9103 715 3299 E-mail: [email protected] Web: www.hobsoft.com Technical Support: Phone: + 49 9103 715 3103 Fax: + 49 9103 715 3299 Security Solutions by HOB 47