VirtualBox

source: vbox/trunk/doc/manual/en_US/user_Frontends.xml@ 74865

Last change on this file since 74865 was 73276, checked in by vboxsync, 6 years ago

doc/manual: Big build system overhaul, because the use of entities and catalogs eliminates the need to have placeholders in XML which previously needed separate preprocessing. Many cleanups, including replacing almost all pattern rules (since their dependencies had to be too generous) and using defines instead. Also integrated many cleanups for the user manual text (which needs careful review, couldn't check yet if it uses any additional tags which some of our XSLT would ignore).
  • Property svn:eol-style set to native
  • Property svn:keywords set to Id Revision
File size: 44.7 KB
Line 
1<?xml version="1.0" encoding="UTF-8"?>
2<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd"[
4<!ENTITY % all.entities SYSTEM "all-entities.ent">
5%all.entities;
6]>
7<chapter id="remotevm">
8
9 <title>Remote Virtual Machines</title>
10
11 <sect1 id="vrde">
12
13 <title>Remote Display (VRDP Support)</title>
14
15 <para>
16 VirtualBox can display virtual machines remotely, meaning that a
17 virtual machine can execute on one computer even though the
18 machine will be displayed on a second computer, and the machine
19 will be controlled from there as well, as if the virtual machine
20 was running on that second computer.
21 </para>
22
23 <para>
24 For maximum flexibility, starting with VirtualBox 4.0, VirtualBox
25 implements remote machine display through a generic extension
26 interface, the VirtualBox Remote Desktop Extension (VRDE). The
27 base open source VirtualBox package only provides this interface,
28 while implementations can be supplied by third parties with
29 VirtualBox extension packages, which must be installed separately
30 from the base package. See
31 <xref
32 linkend="intro-installing" />.
33 </para>
34
35 <para>
36 Oracle provides support for the VirtualBox Remote Display Protocol
37 (VRDP) in such a VirtualBox extension package. When this package
38 is installed, VirtualBox versions 4.0 and later support VRDP the
39 same way as binary (non-open source) versions of VirtualBox before
40 4.0 did.
41 </para>
42
43 <para>
44 VRDP is a backwards-compatible extension to Microsoft's Remote
45 Desktop Protocol (RDP). As a result, you can use any standard RDP
46 client to control the remote VM.
47 </para>
48
49 <para>
50 Even when the extension is installed, the VRDP server is disabled
51 by default. It can easily be enabled on a per-VM basis either in
52 the VirtualBox Manager in the Display settings, see
53 <xref
54 linkend="settings-display" />, or with
55 <computeroutput>VBoxManage</computeroutput>:
56 </para>
57
58<screen>VBoxManage modifyvm "VM name" --vrde on</screen>
59
60 <para>
61 By default, the VRDP server uses TCP port
62 <computeroutput>3389</computeroutput>. You will need to change the
63 default port if you run more than one VRDP server, since the port
64 can only be used by one server at a time. You might also need to
65 change it on Windows hosts since the default port might already be
66 used by the RDP server that is built into Windows itself. Ports
67 5000 through 5050 are typically not used and might be a good
68 choice.
69 </para>
70
71 <para>
72 The port can be changed either in the Display settings of the
73 graphical user interface or with
74 <computeroutput>--vrdeport</computeroutput> option of the
75 <computeroutput>VBoxManage modifyvm</computeroutput> command. You
76 can specify a comma-separated list of ports or ranges of ports.
77 Use a dash between two port numbers to specify a range. The VRDP
78 server will bind to <emphasis>one</emphasis> of the available
79 ports from the specified list. For example,
80 <computeroutput>VBoxManage modifyvm "VM name" --vrdeport
81 5000,5010-5012</computeroutput> will configure the server to bind
82 to one of the ports 5000, 5010, 5011, or 5012. See
83 <xref
84 linkend="vboxmanage-modifyvm-vrde" />.
85 </para>
86
87 <para>
88 The actual port used by a running VM can be either queried with
89 the <computeroutput>VBoxManage showvminfo</computeroutput> command
90 or seen in the GUI on the Runtime tab of the Session Information
91 dialog, which is accessible via the Machine menu of the VM window.
92 </para>
93
94 <para>
95 Support for IPv6 has been implemented in VirtualBox 4.3. If the
96 host OS supports IPv6 the VRDP server will automatically listen
97 for IPv6 connections in addition to IPv4.
98 </para>
99
100 <sect2 id="rdp-viewers">
101
102 <title>Common Third-Party RDP Viewers</title>
103
104 <para>
105 Since VRDP is backwards-compatible to RDP, you can use any
106 standard RDP viewer to connect to such a remote virtual machine.
107 For this to work, you must specify the IP address of your
108 <emphasis>host</emphasis> system, not of the virtual machine, as
109 the server address to connect to. You must also specify the port
110 number that the VRDP server is using.
111 </para>
112
113 <para>
114 The following examples are for the most common RDP viewers:
115 </para>
116
117 <itemizedlist>
118
119 <listitem>
120 <para>
121 On Windows, you can use the Microsoft Terminal Services
122 Connector, <computeroutput>mstsc.exe</computeroutput>, that
123 is included with Windows. Press the
124 <emphasis role="bold">Windows key + R</emphasis>, to display
125 the Run dialog. Enter <command>mstsc</command> to start the
126 program. You can also find the program in
127 <emphasis role="bold">Start</emphasis>,
128 <emphasis role="bold">All Programs</emphasis>,
129 <emphasis role="bold">Accessories</emphasis>,
130 <emphasis role="bold">Remote Desktop Connection</emphasis>.
131 If you use the Run dialog, you can type in options directly.
132 For example:
133 </para>
134
135<screen>mstsc 1.2.3.4:3389</screen>
136
137 <para>
138 Replace <computeroutput>1.2.3.4</computeroutput> with the
139 host IP address, and <computeroutput>3389</computeroutput>
140 with a different port, if necessary.
141 </para>
142
143 <note>
144 <itemizedlist>
145
146 <listitem>
147 <para>
148 IPv6 addresses must be enclosed in square brackets to
149 specify a port. For example: <computeroutput>mstsc
150 [fe80::1:2:3:4]:3389</computeroutput>
151 </para>
152 </listitem>
153
154 <listitem>
155 <para>
156 When connecting to localhost in order to test the
157 connection, the addresses
158 <computeroutput>localhost</computeroutput> and
159 <computeroutput>127.0.0.1</computeroutput> might not
160 work using <computeroutput>mstsc.exe</computeroutput>.
161 Instead, the address
162 <computeroutput>127.0.0.2[:3389]</computeroutput> has
163 to be used.
164 </para>
165 </listitem>
166
167 </itemizedlist>
168 </note>
169 </listitem>
170
171 <listitem>
172 <para>
173 On other systems, you can use the standard open source
174 <computeroutput>rdesktop</computeroutput> program. This
175 ships with most Linux distributions, but VirtualBox also
176 comes with a modified variant of rdesktop for remote USB
177 support. See <xref
178 linkend="usb-over-rdp" />.
179 </para>
180
181 <para>
182 With rdesktop, use a command line such as the following:
183 </para>
184
185<screen>rdesktop -a 16 -N 1.2.3.4:3389</screen>
186
187 <para>
188 Replace <computeroutput>1.2.3.4</computeroutput> with the
189 host IP address, and <computeroutput>3389</computeroutput>
190 with a different port, if necessary. The <computeroutput>-a
191 16</computeroutput> option requests a color depth of 16 bits
192 per pixel, which we recommend. For best performance, after
193 installation of the guest operating system, you should set
194 its display color depth to the same value. The
195 <computeroutput>-N</computeroutput> option enables use of
196 the NumPad keys.
197 </para>
198 </listitem>
199
200 <listitem>
201 <para>
202 If you run the KDE desktop, you can use
203 <computeroutput>krdc</computeroutput>, the KDE RDP viewer. A
204 typical command line is as follows:
205 </para>
206
207<screen>krdc rdp://1.2.3.4:3389</screen>
208
209 <para>
210 Replace <computeroutput>1.2.3.4</computeroutput> with the
211 host IP address, and <computeroutput>3389</computeroutput>
212 with a different port, if necessary. The "rdp://" prefix is
213 required with krdc to switch it into RDP mode.
214 </para>
215 </listitem>
216
217 <listitem>
218 <para>
219 With Sun Ray thin clients you can use
220 <computeroutput>uttsc</computeroutput>, which is part of the
221 Sun Ray Windows Connector package. See the Sun Ray
222 documentation for details.
223 </para>
224 </listitem>
225
226 </itemizedlist>
227
228 </sect2>
229
230 <sect2 id="vboxheadless">
231
232 <title>VBoxHeadless, the Remote Desktop Server</title>
233
234 <para>
235 While any VM started from the VirtualBox Manager is capable of
236 running virtual machines remotely, it is not convenient to have
237 to run the full-fledged GUI if you never want to have VMs
238 displayed locally in the first place. In particular, if you are
239 running server hardware whose only purpose is to host VMs, and
240 all your VMs are supposed to run remotely over VRDP, then it is
241 pointless to have a graphical user interface on the server at
242 all. This is especially true for Linux or Solaris hosts, as the
243 VirtualBox manager comes with dependencies on the Qt and SDL
244 libraries. This is inconvenient if you would rather not have the
245 X Window system on your server at all.
246 </para>
247
248 <para>
249 VirtualBox therefore comes with a front-end called
250 <computeroutput>VBoxHeadless</computeroutput>, which produces no
251 visible output on the host at all, but still can deliver VRDP
252 data. This front-end has no dependencies on the X Window system
253 on Linux and Solaris hosts.
254
255 <footnote>
256
257 <para>
258 Before VirtualBox 1.6, the headless server was called
259 <computeroutput>VBoxVRDP</computeroutput>. For the sake of
260 backwards compatibility, the VirtualBox installation still
261 installs an executable with that name as well.
262 </para>
263
264 </footnote>
265 </para>
266
267 <para>
268 To start a virtual machine with
269 <computeroutput>VBoxHeadless</computeroutput>, you have the
270 following options:
271 </para>
272
273 <itemizedlist>
274
275 <listitem>
276 <para>
277 Use the <computeroutput>VBoxManage</computeroutput> command,
278 as follows:
279 </para>
280
281<screen>VBoxManage startvm "VM name" --type headless</screen>
282
283 <para>
284 The <computeroutput>--type</computeroutput> option causes
285 VirtualBox to use
286 <computeroutput>VBoxHeadless</computeroutput> as the
287 front-end to the internal virtualization engine, instead of
288 the Qt front-end.
289 </para>
290 </listitem>
291
292 <listitem>
293 <para>
294 Use the <computeroutput>VBoxHeadless</computeroutput>
295 command, as follows:
296 </para>
297
298<screen>VBoxHeadless --startvm &lt;uuid|name&gt;</screen>
299
300 <para>
301 This way of starting the VM helps troubleshooting problems
302 reported by <computeroutput>VBoxManage startvm
303 </computeroutput>, because you can sometimes see more
304 detailed error messages, especially for early failures
305 before the VM execution is started. In normal situations
306 <computeroutput>VBoxManage startvm</computeroutput> is
307 preferred, since it runs the VM directly as a background
308 process which has to be done explicitly when directly
309 starting <computeroutput>VBoxHeadless</computeroutput>.
310 </para>
311 </listitem>
312
313 <listitem>
314 <para>
315 Start <computeroutput>VBoxHeadless</computeroutput> from the
316 VirtualBox Manager GUI, by holding the Shift key when
317 starting a virtual machine or by selecting
318 <emphasis role="bold">Headless Start</emphasis> from the
319 <emphasis role="bold">Machine</emphasis> menu.
320 </para>
321 </listitem>
322
323 </itemizedlist>
324
325 <para>
326 Since VirtualBox version 5.0, when you use
327 <computeroutput>VBoxHeadless</computeroutput> to start a VM, the
328 VRDP server will be enabled according to the VM configuration.
329 You can override the VM's setting using
330 <computeroutput>--vrde</computeroutput> command line parameter.
331 To enable the VRDP server start the VM like this:
332
333<screen>VBoxHeadless --startvm &lt;uuid|name&gt; --vrde on</screen>
334
335 To disable the VRDP server:
336
337<screen>VBoxHeadless --startvm &lt;uuid|name&gt; --vrde off</screen>
338
339 To have the VRDP server enabled depending on the VM
340 configuration, as the other front-ends would, you can use:
341
342<screen>VBoxHeadless --startvm &lt;uuid|name&gt; --vrde config</screen>
343
344 This command is the same as:
345
346<screen>VBoxHeadless --startvm &lt;uuid|name&gt;</screen>
347 </para>
348
349 <para>
350 If you start the VM with <computeroutput>VBoxManage
351 startvm</computeroutput> then the configuration settings of the
352 VM are always used.
353 </para>
354
355 </sect2>
356
357 <sect2 id="headless-vm-steps">
358
359 <title>Step by Step: Creating a Virtual Machine on a Headless Server</title>
360
361 <para>
362 The following instructions describe how to create a virtual
363 machine on a headless server over a network connection. This
364 example creates a virtual machine, establishes an RDP connection
365 and installs a guest operating system. All of these tasks are
366 done without having to touch the headless server. You need the
367 following prerequisites:
368 </para>
369
370 <itemizedlist>
371
372 <listitem>
373 <para>
374 VirtualBox on a server machine with a supported host
375 operating system. The VirtualBox extension pack for the VRDP
376 server must be installed, see <xref linkend="vrde"/>. The
377 procedures assume a Linux server is used.
378 </para>
379 </listitem>
380
381 <listitem>
382 <para>
383 An ISO file accessible from the server, containing the
384 installation data for the guest operating system to install.
385 Windows XP is used in the example.
386 </para>
387 </listitem>
388
389 <listitem>
390 <para>
391 A terminal connection to that host through which you can
392 access a command line, such as
393 <computeroutput>ssh</computeroutput>.
394 </para>
395 </listitem>
396
397 <listitem>
398 <para>
399 An RDP viewer on the remote client. See
400 <xref
401 linkend="rdp-viewers" /> for examples.
402 </para>
403 </listitem>
404
405 </itemizedlist>
406
407 <para>
408 Note that on the server machine, since we will only use the
409 headless server, Qt, SDL, and the X Window system are not
410 required.
411 </para>
412
413 <orderedlist>
414
415 <listitem>
416 <para>
417 On the headless server, create a new virtual machine. For
418 example:
419 </para>
420
421<screen>VBoxManage createvm --name "Windows XP" --ostype WindowsXP --register</screen>
422
423 <para>
424 If you do not specify
425 <computeroutput>--register</computeroutput>, you will have
426 to manually use the
427 <computeroutput>registervm</computeroutput> command later.
428 </para>
429
430 <para>
431 You do not need to specify
432 <computeroutput>--ostype</computeroutput>, but doing so
433 selects some sensible default values for certain VM
434 parameters. For example, the RAM size and the type of the
435 virtual network device. To get a complete list of supported
436 operating systems you can use the following command:
437 </para>
438
439<screen>VBoxManage list ostypes</screen>
440 </listitem>
441
442 <listitem>
443 <para>
444 Make sure the settings for the VM are appropriate for the
445 guest operating system that we will install. For example:
446 </para>
447
448<screen>VBoxManage modifyvm "Windows XP" --memory 256 --acpi on --boot1 dvd --nic1 nat</screen>
449 </listitem>
450
451 <listitem>
452 <para>
453 Create a virtual hard disk for the VM. For example, to
454 create a 10 GB virtual hard disk:
455 </para>
456
457<screen>VBoxManage createhd --filename "WinXP.vdi" --size 10000</screen>
458 </listitem>
459
460 <listitem>
461 <para>
462 Add an IDE Controller to the new VM. For example:
463 </para>
464
465<screen>VBoxManage storagectl "Windows XP" --name "IDE Controller"
466 --add ide --controller PIIX4</screen>
467 </listitem>
468
469 <listitem>
470 <para>
471 Set the VDI file you created as the first virtual hard disk
472 of the new VM. For example:
473 </para>
474
475<screen>VBoxManage storageattach "Windows XP" --storagectl "IDE Controller"
476 --port 0 --device 0 --type hdd --medium "WinXP.vdi"</screen>
477 </listitem>
478
479 <listitem>
480 <para>
481 Attach the ISO file that contains the operating system
482 installation that you want to install later to the virtual
483 machine. This is done so that the VM can boot from it.
484 </para>
485
486<screen>VBoxManage storageattach "Windows XP" --storagectl "IDE Controller"
487 --port 0 --device 1 --type dvddrive --medium /full/path/to/iso.iso</screen>
488 </listitem>
489
490 <listitem>
491 <para>
492 Enable the VirtualBox Remote Desktop Extension, the VRDP
493 server, as follows:
494 </para>
495
496<screen>VBoxManage modifyvm "Windows XP" --vrde on</screen>
497 </listitem>
498
499 <listitem>
500 <para>
501 Start the virtual machine using the
502 <computeroutput>VBoxHeadless</computeroutput> command:
503 </para>
504
505<screen>VBoxHeadless --startvm "Windows XP"</screen>
506
507 <para>
508 If the configuration steps worked, you should see a
509 copyright notice. If you are returned to the command line,
510 then something did not work correctly.
511 </para>
512 </listitem>
513
514 <listitem>
515 <para>
516 On the client machine, start the RDP viewer and connect to
517 the server. See <xref linkend="rdp-viewers" /> for details
518 of how to use various common RDP viewers.
519 </para>
520
521 <para>
522 The installation routine of your guest operating system
523 should be displayed in the RDP viewer.
524 </para>
525 </listitem>
526
527 </orderedlist>
528
529 </sect2>
530
531 <sect2 id="usb-over-rdp">
532
533 <title>Remote USB</title>
534
535 <para>
536 As a special feature additional to the VRDP support, VirtualBox
537 also supports remote USB devices over the wire. That is, the
538 VirtualBox guest that runs on one computer can access the USB
539 devices of the remote computer on which the VRDP data is being
540 displayed the same way as USB devices that are connected to the
541 actual host. This allows for running virtual machines on a
542 VirtualBox host that acts as a server, where a client can
543 connect from elsewhere that needs only a network adapter and a
544 display capable of running an RDP viewer. When USB devices are
545 plugged into the client, the remote VirtualBox server can access
546 them.
547 </para>
548
549 <para>
550 For these remote USB devices, the same filter rules apply as for
551 other USB devices. See <xref linkend="settings-usb" />. All you
552 have to do is specify Remote, or Any, when setting up these
553 rules.
554 </para>
555
556 <para>
557 Accessing remote USB devices is only possible if the RDP client
558 supports this extension. On Linux and Solaris hosts, the
559 VirtualBox installation provides a suitable VRDP client called
560 <computeroutput>rdesktop-vrdp</computeroutput>. Recent versions
561 of <computeroutput>uttsc</computeroutput>, a client tailored for
562 the use with Sun Ray thin clients, also support accessing remote
563 USB devices. RDP clients for other platforms will be provided in
564 future VirtualBox versions.
565 </para>
566
567 <para>
568 To make a remote USB device available to a VM,
569 <computeroutput>rdesktop-vrdp</computeroutput> should be started
570 as follows:
571
572<screen>rdesktop-vrdp -r usb -a 16 -N my.host.address</screen>
573
574 Please refer to <xref linkend="ts_usb-linux" /> for further
575 details on how to properly set up the permissions for USB
576 devices. Furthermore it is advisable to disable automatic
577 loading of any host driver on the remote host which might work
578 on USB devices to ensure that the devices are accessible by the
579 RDP client. If the setup was properly done on the remote host,
580 plug/unplug events are visible on the VBox.log file of the VM.
581 </para>
582
583 </sect2>
584
585 <sect2 id="vbox-auth">
586
587 <title>RDP Authentication</title>
588
589 <para>
590 For each virtual machine that is remotely accessible via RDP,
591 you can individually determine if and how client connections are
592 authenticated. For this, use <computeroutput>VBoxManage
593 modifyvm</computeroutput> command with the
594 <computeroutput>--vrdeauthtype</computeroutput> option. See
595 <xref
596 linkend="vboxmanage-modifyvm" />. The following
597 methods of authentication are available:
598 </para>
599
600 <itemizedlist>
601
602 <listitem>
603 <para>
604 The <emphasis role="bold">null</emphasis> method means that
605 there is no authentication at all. Any client can connect to
606 the VRDP server and thus the virtual machine. This is very
607 insecure and only to be recommended for private networks.
608 </para>
609 </listitem>
610
611 <listitem>
612 <para>
613 The <emphasis role="bold">external</emphasis> method
614 provides external authentication through a special
615 authentication library. VirtualBox ships with two special
616 authentication libraries:
617 </para>
618
619 <orderedlist>
620
621 <listitem>
622 <para>
623 The default authentication library,
624 <computeroutput>VBoxAuth</computeroutput>, authenticates
625 against user credentials of the hosts. Depending on the
626 host platform, this means the following:
627 </para>
628
629 <itemizedlist>
630
631 <listitem>
632 <para>
633 On Linux hosts,
634 <computeroutput>VBoxAuth.so</computeroutput>
635 authenticates users against the host's PAM system.
636 </para>
637 </listitem>
638
639 <listitem>
640 <para>
641 On Windows hosts,
642 <computeroutput>VBoxAuth.dll</computeroutput>
643 authenticates users against the host's WinLogon
644 system.
645 </para>
646 </listitem>
647
648 <listitem>
649 <para>
650 On Mac OS X hosts,
651 <computeroutput>VBoxAuth.dylib</computeroutput>
652 authenticates users against the host's directory
653 service.
654
655 <footnote>
656
657 <para>
658 Support for Mac OS X was added in version 3.2.
659 </para>
660
661 </footnote>
662 </para>
663 </listitem>
664
665 </itemizedlist>
666
667 <para>
668 In other words, the external method by default performs
669 authentication with the user accounts that exist on the
670 host system. Any user with valid authentication
671 credentials is accepted. For example, the username does
672 not have to correspond to the user running the VM.
673 </para>
674 </listitem>
675
676 <listitem>
677 <para>
678 An additional library called
679 <computeroutput>VBoxAuthSimple</computeroutput> performs
680 authentication against credentials configured in the
681 "extradata" section of a virtual machine's XML settings
682 file. This is probably the simplest way to get
683 authentication that does not depend on a running and
684 supported guest. The following steps are required:
685 </para>
686
687 <orderedlist>
688
689 <listitem>
690 <para>
691 Enable
692 <computeroutput>VBoxAuthSimple</computeroutput> with
693 the following command:
694 </para>
695
696<screen>VBoxManage setproperty vrdeauthlibrary "VBoxAuthSimple"</screen>
697 </listitem>
698
699 <listitem>
700 <para>
701 To enable the library for a particular VM, you must
702 switch authentication to external, as follows:
703 </para>
704
705<screen>VBoxManage modifyvm "VM name" --vrdeauthtype external</screen>
706
707 <para>
708 Replace <computeroutput>&lt;vm&gt;</computeroutput>
709 with the VM name or UUID.
710 </para>
711 </listitem>
712
713 <listitem>
714 <para>
715 You then need to configure users and passwords by
716 writing items into the machine's extradata. Since
717 the XML machine settings file, into whose
718 <computeroutput>extradata</computeroutput> section
719 the password needs to be written, is a plain text
720 file, VirtualBox uses hashes to encrypt passwords.
721 The following command must be used:
722 </para>
723
724<screen>VBoxManage setextradata "VM name" "VBoxAuthSimple/users/&lt;user&gt;" &lt;hash&gt;</screen>
725
726 <para>
727 Replace <computeroutput>&lt;vm&gt;</computeroutput>
728 with the VM name or UUID,
729 <computeroutput>&lt;user&gt;</computeroutput> with
730 the user name who should be allowed to log in and
731 <computeroutput>&lt;hash&gt;</computeroutput> with
732 the encrypted password. As an example, to obtain the
733 hash value for the password
734 <computeroutput>secret</computeroutput>, you can use
735 the following command:
736 </para>
737
738<screen>VBoxManage internalcommands passwordhash "secret"</screen>
739
740 <para>
741 This command will generate output similar to the
742 following:
743 </para>
744
745<screen>2bb80d537b1da3e38bd30361aa855686bde0eacd7162fef6a25fe97bf527a25b</screen>
746
747 <para>
748 You then use VBoxManage setextradata to store this
749 value in the machine's
750 <computeroutput>extradata</computeroutput> section.
751 </para>
752
753 <para>
754 As a combined example, to set the password for the
755 user <computeroutput>john</computeroutput> and the
756 machine <computeroutput>My VM</computeroutput> to
757 <computeroutput>secret</computeroutput>, use this
758 command:
759 </para>
760
761<screen>VBoxManage setextradata "My VM" "VBoxAuthSimple/users/john"
762 2bb80d537b1da3e38bd30361aa855686bde0eacd7162fef6a25fe97bf527a25b</screen>
763 </listitem>
764
765 </orderedlist>
766 </listitem>
767
768 </orderedlist>
769 </listitem>
770
771 <listitem>
772 <para>
773 The <emphasis role="bold">guest</emphasis> authentication
774 method performs authentication with a special component that
775 comes with the Guest Additions. As a result, authentication
776 is not performed on the host, but with the guest user
777 accounts.
778 </para>
779
780 <para>
781 This method is currently still in testing and not yet
782 supported.
783 </para>
784 </listitem>
785
786 </itemizedlist>
787
788 <para>
789 In addition to the methods described above, you can replace the
790 default external authentication module with any other module.
791 For this, VirtualBox provides a well-defined interface that
792 allows you to write your own authentication module. This is
793 described in detail in the VirtualBox Software Development Kit
794 (SDK) reference. See <xref
795 linkend="VirtualBoxAPI" />.
796 </para>
797
798 </sect2>
799
800 <sect2 id="vrde-crypt">
801
802 <title>RDP Encryption</title>
803
804 <para>
805 RDP features data stream encryption, which is based on the RC4
806 symmetric cipher, with keys up to 128-bit. The RC4 keys are
807 replaced at regular intervals, every 4096 packets.
808 </para>
809
810 <para>
811 RDP provides the following different authentication methods:
812 </para>
813
814 <itemizedlist>
815
816 <listitem>
817 <para>
818 <emphasis role="bold">RDP4</emphasis> authentication was
819 used historically. With RDP4, the RDP client does not
820 perform any checks in order to verify the identity of the
821 server it connects to. Since user credentials can be
822 obtained using a "man in the middle" (MITM) attack, RDP4
823 authentication is insecure and should generally not be used.
824 </para>
825 </listitem>
826
827 <listitem>
828 <para>
829 <emphasis role="bold">RDP5.1</emphasis> authentication
830 employs a server certificate for which the client possesses
831 the public key. This way it is guaranteed that the server
832 possess the corresponding private key. However, as this
833 hard-coded private key became public some years ago, RDP5.1
834 authentication is also insecure.
835 </para>
836 </listitem>
837
838 <listitem>
839 <para>
840 <emphasis role="bold">RDP5.2</emphasis> authentication uses
841 Enhanced RDP Security, which means that an external security
842 protocol is used to secure the connection. RDP4 and RDP5.1
843 use Standard RDP Security. The VRDP server supports Enhanced
844 RDP Security with TLS protocol and, as a part of TLS
845 handshake, sends the server certificate to the client.
846 </para>
847
848 <para>
849 The <computeroutput>Security/Method</computeroutput> VRDE
850 property sets the desired security method, which is used for
851 a connection. Valid values are as follows:
852 </para>
853
854 <itemizedlist>
855
856 <listitem>
857 <para>
858 <emphasis role="bold">Negotiate.</emphasis> Both
859 Enhanced (TLS) and Standard RDP Security connections are
860 allowed. The security method is negotiated with the
861 client. This is the default setting.
862 </para>
863 </listitem>
864
865 <listitem>
866 <para>
867 <emphasis role="bold">RDP.</emphasis> Only Standard RDP
868 Security is accepted.
869 </para>
870 </listitem>
871
872 <listitem>
873 <para>
874 <emphasis role="bold">TLS.</emphasis> Only Enhanced RDP
875 Security is accepted. The client must support TLS.
876 </para>
877 </listitem>
878
879 </itemizedlist>
880
881 <para>
882 For example, the following command allows a client to use
883 either Standard or Enhanced RDP Security connection:
884 </para>
885
886<screen>vboxmanage modifyvm "VM name" --vrdeproperty "Security/Method=negotiate"</screen>
887
888 <para>
889 If the <computeroutput>Security/Method</computeroutput>
890 property is set to either Negotiate or TLS, the TLS protocol
891 will be automatically used by the server, if the client
892 supports TLS. However, in order to use TLS the server must
893 possess the Server Certificate, the Server Private Key and
894 the Certificate Authority (CA) Certificate. The following
895 example shows how to generate a server certificate.
896 </para>
897
898 <orderedlist>
899
900 <listitem>
901 <para>
902 Create a CA self signed certificate.
903 </para>
904
905<screen>openssl req -new -x509 -days 365 -extensions v3_ca \
906 -keyout ca_key_private.pem -out ca_cert.pem</screen>
907 </listitem>
908
909 <listitem>
910 <para>
911 Generate a server private key and a request for signing.
912 </para>
913
914<screen>openssl genrsa -out server_key_private.pem
915openssl req -new -key server_key_private.pem -out server_req.pem</screen>
916 </listitem>
917
918 <listitem>
919 <para>
920 Generate the server certificate.
921 </para>
922
923<screen>openssl x509 -req -days 365 -in server_req.pem \
924 -CA ca_cert.pem -CAkey ca_key_private.pem -set_serial 01 -out server_cert.pem</screen>
925 </listitem>
926
927 </orderedlist>
928
929 <para>
930 The server must be configured to access the required files.
931 For example:
932 </para>
933
934<screen>vboxmanage modifyvm "VM name" \
935 --vrdeproperty "Security/CACertificate=path/ca_cert.pem"</screen>
936
937<screen>vboxmanage modifyvm "VM name" \
938 --vrdeproperty "Security/ServerCertificate=path/server_cert.pem"</screen>
939
940<screen>vboxmanage modifyvm "VM name" \
941 --vrdeproperty "Security/ServerPrivateKey=path/server_key_private.pem"</screen>
942 </listitem>
943
944 </itemizedlist>
945
946 <para>
947 As the client that connects to the server determines what type
948 of encryption will be used, with rdesktop, the Linux RDP viewer,
949 use the <computeroutput>-4</computeroutput> or
950 <computeroutput>-5</computeroutput> options.
951 </para>
952
953 </sect2>
954
955 <sect2 id="vrde-multiconnection">
956
957 <title>Multiple Connections to the VRDP Server</title>
958
959 <para>
960 The VRDP server of VirtualBox supports multiple simultaneous
961 connections to the same running VM from different clients. All
962 connected clients see the same screen output and share a mouse
963 pointer and keyboard focus. This is similar to several people
964 using the same computer at the same time, taking turns at the
965 keyboard.
966 </para>
967
968 <para>
969 The following command enables multiple connection mode:
970
971<screen>VBoxManage modifyvm "VM name" --vrdemulticon on</screen>
972 </para>
973
974 </sect2>
975
976 <sect2 id="vrde-multimonitor">
977
978 <title>Multiple Remote Monitors</title>
979
980 <para>
981 To access two or more remote VM displays you have to enable the
982 VRDP multiconnection mode. See
983 <xref
984 linkend="vrde-multiconnection" />.
985 </para>
986
987 <para>
988 The RDP client can select the virtual monitor number to connect
989 to using the <computeroutput>domain</computeroutput> logon
990 parameter (<computeroutput>-d</computeroutput>). If the
991 parameter ends with <computeroutput>@</computeroutput> followed
992 by a number, VirtualBox interprets this number as the screen
993 index. The primary guest screen is selected with
994 <computeroutput>@1</computeroutput>, the first secondary screen
995 is <computeroutput>@2</computeroutput>, and so on.
996 </para>
997
998 <para>
999 The Microsoft RDP6 client does not let you specify a separate
1000 domain name. Instead, use
1001 <computeroutput>domain\username</computeroutput> in the
1002 <computeroutput>Username:</computeroutput> field. For example,
1003 <computeroutput>@2\name</computeroutput>.
1004 <computeroutput>name</computeroutput> must be supplied, and must
1005 be the name used to log in if the VRDP server is set up to
1006 require credentials. If it is not, you may use any text as the
1007 username.
1008 </para>
1009
1010 </sect2>
1011
1012 <sect2 id="vrde-videochannel">
1013
1014 <title>VRDP Video Redirection</title>
1015
1016 <para>
1017 Starting with VirtualBox 3.2, the VRDP server can redirect video
1018 streams from the guest to the RDP client. Video frames are
1019 compressed using the JPEG algorithm allowing a higher
1020 compression ratio than standard RDP bitmap compression methods.
1021 It is possible to increase the compression ratio by lowering the
1022 video quality.
1023 </para>
1024
1025 <para>
1026 The VRDP server automatically detects video streams in a guest
1027 as frequently updated rectangular areas. As a result, this
1028 method works with any guest operating system without having to
1029 install additional software in the guest. In particular, the
1030 Guest Additions are not required.
1031 </para>
1032
1033 <para>
1034 On the client side, however, currently only the Windows 7 Remote
1035 Desktop Connection client supports this feature. If a client
1036 does not support video redirection, the VRDP server falls back
1037 to regular bitmap updates.
1038 </para>
1039
1040 <para>
1041 The following command enables video redirection:
1042
1043<screen>VBoxManage modifyvm "VM name" --vrdevideochannel on</screen>
1044 </para>
1045
1046 <para>
1047 The quality of the video is defined as a value from 10 to 100
1048 percent, representing a JPEG compression level, where lower
1049 numbers mean lower quality but higher compression. The quality
1050 can be changed using the following command:
1051
1052<screen>VBoxManage modifyvm "VM name" --vrdevideochannelquality 75</screen>
1053 </para>
1054
1055 </sect2>
1056
1057 <sect2 id="vrde-customization">
1058
1059 <title>VRDP Customization</title>
1060
1061 <para>
1062 With VirtualBox 4.0 it is possible to disable display output,
1063 mouse and keyboard input, audio, remote USB, or clipboard
1064 individually in the VRDP server.
1065 </para>
1066
1067 <para>
1068 The following commands change corresponding server settings:
1069 </para>
1070
1071<screen>VBoxManage modifyvm "VM name" --vrdeproperty Client/DisableDisplay=1
1072VBoxManage modifyvm "VM name" --vrdeproperty Client/DisableInput=1
1073VBoxManage modifyvm "VM name" --vrdeproperty Client/DisableUSB=1
1074VBoxManage modifyvm "VM name" --vrdeproperty Client/DisableAudio=1
1075VBoxManage modifyvm "VM name" --vrdeproperty Client/DisableClipboard=1
1076VBoxManage modifyvm "VM name" --vrdeproperty Client/DisableUpstreamAudio=1</screen>
1077
1078 <para>
1079 To reenable a feature use a similar command without the trailing
1080 1. For example:
1081
1082<screen>VBoxManage modifyvm "VM name" --vrdeproperty Client/DisableDisplay=</screen>
1083 </para>
1084
1085 <para>
1086 These properties were introduced with VirtualBox 3.2.10.
1087 However, in the 3.2.x series, it was necessary to use the
1088 following commands to alter these settings instead:
1089 </para>
1090
1091<screen>VBoxManage setextradata "VM name" "VRDP/Feature/Client/DisableDisplay" 1
1092VBoxManage setextradata "VM name" "VRDP/Feature/Client/DisableInput" 1
1093VBoxManage setextradata "VM name" "VRDP/Feature/Client/DisableUSB" 1
1094VBoxManage setextradata "VM name" "VRDP/Feature/Client/DisableAudio" 1
1095VBoxManage setextradata "VM name" "VRDP/Feature/Client/DisableClipboard" 1</screen>
1096
1097 <para>
1098 To reenable a feature use a similar command without the trailing
1099 1. For example:
1100
1101<screen>VBoxManage setextradata "VM name" "VRDP/Feature/Client/DisableDisplay"</screen>
1102 </para>
1103
1104 </sect2>
1105
1106 </sect1>
1107
1108 <sect1 id="teleporting">
1109
1110 <title>Teleporting</title>
1111
1112 <para>
1113 Starting with version 3.1, VirtualBox supports
1114 <emphasis>teleporting</emphasis>. Teleporting is moving a virtual
1115 machine over a network from one VirtualBox host to another, while
1116 the virtual machine is running. This works regardless of the host
1117 operating system that is running on the hosts. You can teleport
1118 virtual machines between Solaris and Mac hosts, for example.
1119 </para>
1120
1121 <para>
1122 Teleporting requires that a machine be currently running on one
1123 host, which is called the <emphasis>source</emphasis>. The host to
1124 which the virtual machine will be teleported is called the
1125 <emphasis>target</emphasis>. The machine on the target is then
1126 configured to wait for the source to contact the target. The
1127 machine's running state will then be transferred from the source
1128 to the target with minimal downtime.
1129 </para>
1130
1131 <para>
1132 Teleporting happens over any TCP/IP network. The source and the
1133 target only need to agree on a TCP/IP port which is specified in
1134 the teleporting settings.
1135 </para>
1136
1137 <para>
1138 At this time, there are a few prerequisites for this to work, as
1139 follows:
1140 </para>
1141
1142 <itemizedlist>
1143
1144 <listitem>
1145 <para>
1146 On the target host, you must configure a virtual machine in
1147 VirtualBox with exactly the same hardware settings as the
1148 machine on the source that you want to teleport. This does not
1149 apply to settings which are merely descriptive, such as the VM
1150 name, but obviously for teleporting to work, the target
1151 machine must have the same amount of memory and other hardware
1152 settings. Otherwise teleporting will fail with an error
1153 message.
1154 </para>
1155 </listitem>
1156
1157 <listitem>
1158 <para>
1159 The two virtual machines on the source and the target must
1160 share the same storage, hard disks as well as floppy disks and
1161 CD/DVD images. This means that they either use the same iSCSI
1162 targets or that the storage resides somewhere on the network
1163 and both hosts have access to it via NFS or SMB/CIFS.
1164 </para>
1165
1166 <para>
1167 This also means that neither the source nor the target machine
1168 can have any snapshots.
1169 </para>
1170 </listitem>
1171
1172 </itemizedlist>
1173
1174 <para>
1175 To configure teleporting, perform the following steps:
1176 </para>
1177
1178 <orderedlist>
1179
1180 <listitem>
1181 <para>
1182 On the <emphasis>target</emphasis> host, configure the virtual
1183 machine to wait for a teleport request to arrive when it is
1184 started, instead of actually attempting to start the machine.
1185 This is done with the following VBoxManage command:
1186 </para>
1187
1188<screen>VBoxManage modifyvm &lt;targetvmname&gt; --teleporter on --teleporterport &lt;port&gt;</screen>
1189
1190 <para>
1191 where <computeroutput>&lt;targetvmname&gt;</computeroutput> is
1192 the name of the virtual machine on the target host and
1193 <computeroutput>&lt;port&gt;</computeroutput> is a TCP/IP port
1194 number to be used on both the source and the target hosts. For
1195 example, use 6000. See
1196 <xref
1197 linkend="vboxmanage-modifyvm-teleport" />.
1198 </para>
1199 </listitem>
1200
1201 <listitem>
1202 <para>
1203 Start the VM on the target host. Instead of running, the VM
1204 shows a progress dialog, indicating that it is waiting for a
1205 teleport request to arrive.
1206 </para>
1207 </listitem>
1208
1209 <listitem>
1210 <para>
1211 Start the VM on the <emphasis>source</emphasis> host as usual.
1212 When it is running and you want it to be teleported, issue the
1213 following command on the source host:
1214 </para>
1215
1216<screen>VBoxManage controlvm &lt;sourcevmname&gt; teleport --host &lt;targethost&gt; --port &lt;port&gt;</screen>
1217
1218 <para>
1219 where <computeroutput>&lt;sourcevmname&gt;</computeroutput> is
1220 the name of the virtual machine on the source host (the
1221 machine that is currently running),
1222 <computeroutput>&lt;targethost&gt;</computeroutput> is the
1223 host or IP name of the target host on which the machine is
1224 waiting for the teleport request, and
1225 <computeroutput>&lt;port&gt;</computeroutput> must be the same
1226 number as specified in the command on the target host. See
1227 <xref
1228 linkend="vboxmanage-controlvm" />.
1229 </para>
1230 </listitem>
1231
1232 </orderedlist>
1233
1234 <para>
1235 For testing, you can also teleport machines on the same host. In
1236 that case, use localhost as the hostname on both the source and
1237 the target host.
1238 </para>
1239
1240 <note>
1241 <para>
1242 In rare cases, if the CPUs of the source and the target are very
1243 different, teleporting can fail with an error message, or the
1244 target may hang. This may happen especially if the VM is running
1245 application software that is highly optimized to run on a
1246 particular CPU without correctly checking that certain CPU
1247 features are actually present. VirtualBox filters what CPU
1248 capabilities are presented to the guest operating system.
1249 Advanced users can attempt to restrict these virtual CPU
1250 capabilities with the <computeroutput>VBoxManage --modifyvm
1251 --cpuid</computeroutput> command. See
1252 <xref
1253 linkend="vboxmanage-modifyvm-teleport" />.
1254 </para>
1255 </note>
1256
1257 </sect1>
1258
1259</chapter>
Note: See TracBrowser for help on using the repository browser.

© 2024 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette