5.0 KiB
NX
Highavailability mode really needed NX does the decision - sometimes not transparent how it is done
##rem-acc.psi.ch decides who is allowed to connect to a certain nx machine connected to rem-acc
configuration inside NX in a database
svc-nx - AD group this defines who is allwed to access NoMachine Proxy from rem-acc
/root/scripts/change_rule.sh Written by Dima does nxserver commands - used to update rules history of root will show last changes
/root/scripts contain a set of other scripts
Usually NX access from rem-acc to machines in the office network is not allowed (security request) There are exceptions:
- detector group shared workstateion - pcmic05
- ENE - Jens Ehler - mpc2053, mpc2959
Rules for these machines are not dynamically modifiable, need to be done manually! need request to security to open a firewall rule
Commands on rem-acc
List of all configured servers
nxserver --serverlist --extended
# nxserver --serverlist --extended | grep psi.ch | grep nomach
Output: one line for each server
Show all access rules
nxserver --rulelist
Software
RemACC - NoMachine Cloud Server xxx proxies - NoMachine Enterprise Desktop Service nodes behing proxy - NoMachine Enterprise Server Nodes - you can only to these nodes through a proxy (Enterprise Desktop Service)
consoles - Enterprise Desktop - allows connections to the physical console) (- with Windows this is the only product that we use) - 1 session
Virtual desktops Linux: NoMachine Workstation - up to 4 virtual session can be created - usually used on the -vcons- systems Small Business Terminal Server Subscription - same as above but up to 10 virtual sessions - (only used for ENE) Terminal Server - same as above but unlimited number of sessions
Desktop - completely free license - funcionality same as Enterprise Desktop but cannot be connected/accessed from proxy/cloudServer!!!
Depending on the product the price differences are HUGE
Each machine has its own license! Bought in packs of multiple licenses Some licenses depend sometimes on the number of code
All licenses are now synchronized to be payed in April
Distribution of the licenses via Puppet (encrypted ...) machines this is distributed to machines in different hiera classes - so its difficult to assign/configure the licenses
There are 50 Windows machines !!!! (we have 60 Licenses) Distribution - Baramundi - Dima has access to this Update of the software done by the Windows Team (they make the Baramundi packaging)
Linux 85 machines (90 Licenses - Enterprise Desktop)
Every installation of the nomachine software requires 2 reboots! 1 after remove 1 after install
For linux you don't need the reboot When installing the virtual sessions will be killed - on pysical desktop no affects
!!!! Need communication regarding the Updates with users !!!!
Linux RPMs are located in this repository - updated by Dima http://repo00.psi.ch/el7/manual/nxserver/
THERE IS A .htaccess file in there that restricts the access to this repo to only the listed nodes !!!! This file gives info about all linux nodes that are somehow related to NX
NoMachine only releases RPM for current version - but removes older ones
Open firewall (network@psi.ch)
install sw on node
Nodes are registered on rem-acc with /root/scripts/add_node.sh
update of Mongo-DB for Rama (done by Dima)
connect to rama.psi.ch as root
mongo
use rama
db.TargetMode.insert(...... (check history)
!!!!! RAMA IS NOT UP TO DATE !!!!
Licenses
35000 CHF - 21 April 2023
Checkout the app: Open OnDemand https://rustdesk.com
Meeting
- Enduser documentation maintained by Dima: https://www.psi.ch/en/photon-science-data-services/remote-interactive-access
if you don't connect to rem-acc via the admin user a script is executed ... somewhere burried in /etc/sshd/sshd.config
most of the stuff dima tries to do with puppet hiera config: https://git.psi.ch/linux-infra/data-rem-acc
There are no ansible script
- things not done by puppet is/was done manually
rem-acc-1/2 still have access to repo00 and puppet server although it is in the extranet ... but not to git
cron jobs on remacc 1 to synchronize the internal state/database of nx-server! cron jobs were placed manually!!! no such cron jobs on rem-acc-2
/root/scripts on remacc1 is
if remacc2 is master no sync and rama will not work remacc2 only for short breakdowns need to be discussed whether HA is really needed
we do not have nx-support package response to tickets is few number of days (defined in license) have access to portal to no-machine
Dario can issue changes to nx-portal management: www.nomachine.com Account need to be done by Dario
Portal used to download the rpms (need to be done one by one) for Linux and Windows Portal used to issue tickets
https://intranet.psi.ch/de/daas contains some information why nomachine is used ...
!!!!WINDOWS - there are more than x windows machine on this service
need to update the license on a windows admin machine time for update nx - needs to be scheduled with the user!!!!