user_Frontends.xml@ 76553

最後變更在這個檔案從76553是 76078,由 vboxsync 提交於 6 年前
manual: integrate drop #30 with minimal manual adjustments (but everything into one book, with manually applied tweaks to turn the release notes into a pure changelog again and manually re-applied the last changelog change since it wasn't included yet)
屬性 svn:eol-style 設為 `native` 屬性 svn:keywords 設為 `Id Revision`
檔案大小: 44.6 KB

行
1	<?xml version="1.0" encoding="UTF-8"?>
2	<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3	"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd"[
4	<!ENTITY % all.entities SYSTEM "all-entities.ent">
5	%all.entities;
6	]>
7	<chapter id="remotevm">
8
9	<title>Remote Virtual Machines</title>
10
11	<sect1 id="vrde">
12
13	<title>Remote Display (VRDP Support)</title>
14
15	<para>
16	&product-name; can display virtual machines remotely, meaning that
17	a virtual machine can execute on one computer even though the
18	machine will be displayed on a second computer, and the machine
19	will be controlled from there as well, as if the virtual machine
20	was running on that second computer.
21	</para>
22
23	<para>
24	For maximum flexibility, &product-name; implements remote machine
25	display through a generic extension interface called the
26	VirtualBox Remote Desktop Extension (VRDE). The base open source
27	&product-name; package only provides this interface, while
28	implementations can be supplied by third parties with
29	&product-name; extension packages, which must be installed
30	separately from the base package. See
31	<xref linkend="intro-installing" />.
32	</para>
33
34	<para>
35	Oracle provides support for the VirtualBox Remote Display Protocol
36	(VRDP) in such an &product-name; extension package. When this
37	package is installed, &product-name; versions 4.0 and later
38	support VRDP the same way as binary, non-open source, versions of
39	&product-name; before 4.0 did.
40	</para>
41
42	<para>
43	VRDP is a backwards-compatible extension to Microsoft's Remote
44	Desktop Protocol (RDP). As a result, you can use any standard RDP
45	client to control the remote VM.
46	</para>
47
48	<para>
49	Even when the extension is installed, the VRDP server is disabled
50	by default. It can easily be enabled on a per-VM basis either in
51	the VirtualBox Manager in the
52	<emphasis role="bold">Display</emphasis> settings, see
53	<xref linkend="settings-display" />, or with the
54	<command>VBoxManage</command> command, as follows:
55	</para>
56
57	<screen>VBoxManage modifyvm "VM name" --vrde on</screen>
58
59	<para>
60	By default, the VRDP server uses TCP port
61	<computeroutput>3389</computeroutput>. You will need to change the
62	default port if you run more than one VRDP server, since the port
63	can only be used by one server at a time. You might also need to
64	change it on Windows hosts since the default port might already be
65	used by the RDP server that is built into Windows itself. Ports
66	5000 through 5050 are typically not used and might be a good
67	choice.
68	</para>
69
70	<para>
71	The port can be changed either in the
72	<emphasis role="bold">Display</emphasis> settings of the graphical
73	user interface or with the <option>--vrdeport</option> option of
74	the <command>VBoxManage modifyvm</command> command. You can
75	specify a comma-separated list of ports or ranges of ports. Use a
76	dash between two port numbers to specify a range. The VRDP server
77	will bind to <emphasis>one</emphasis> of the available ports from
78	the specified list. For example, <computeroutput>VBoxManage
79	modifyvm "VM name" --vrdeport 5000,5010-5012</computeroutput> will
80	configure the server to bind to one of the ports 5000, 5010, 5011,
81	or 5012. See <xref linkend="vboxmanage-modifyvm-vrde" />.
82	</para>
83
84	<para>
85	The actual port used by a running VM can be either queried with
86	the <command>VBoxManage showvminfo</command> command or seen in
87	the GUI on the <emphasis role="bold">Runtime</emphasis> tab of the
88	<emphasis role="bold">Session Information</emphasis> dialog, which
89	is accessible from the <emphasis role="bold">Machine</emphasis>
90	menu of the VM window.
91	</para>
92
93	<para>
94	Support for IPv6 has been implemented in &product-name; 4.3. If
95	the host OS supports IPv6 the VRDP server will automatically
96	listen for IPv6 connections in addition to IPv4.
97	</para>
98
99	<sect2 id="rdp-viewers">
100
101	<title>Common Third-Party RDP Viewers</title>
102
103	<para>
104	Since VRDP is backwards-compatible to RDP, you can use any
105	standard RDP viewer to connect to such a remote virtual machine.
106	For this to work, you must specify the IP address of your
107	<emphasis>host</emphasis> system, not of the virtual machine, as
108	the server address to connect to. You must also specify the port
109	number that the VRDP server is using.
110	</para>
111
112	<para>
113	The following examples are for the most common RDP viewers:
114	</para>
115
116	<itemizedlist>
117
118	<listitem>
119	<para>
120	On Windows, you can use the Microsoft Terminal Services
121	Connector, <command>mstsc.exe</command>, that is included
122	with Windows. Press the Windows key + R, to display the
123	<emphasis role="bold">Run</emphasis> dialog. Enter
124	<command>mstsc</command> to start the program. You can also
125	find the program in <emphasis role="bold">Start</emphasis>,
126	<emphasis role="bold">All Programs</emphasis>,
127	<emphasis role="bold">Accessories</emphasis>,
128	<emphasis role="bold">Remote Desktop Connection</emphasis>.
129	If you use the <emphasis role="bold">Run</emphasis> dialog,
130	you can enter options directly. For example:
131	</para>
132
133	<screen>mstsc 1.2.3.4:3389</screen>
134
135	<para>
136	Replace <computeroutput>1.2.3.4</computeroutput> with the
137	host IP address, and <computeroutput>3389</computeroutput>
138	with a different port, if necessary.
139	</para>
140
141	<note>
142	<itemizedlist>
143
144	<listitem>
145	<para>
146	IPv6 addresses must be enclosed in square brackets to
147	specify a port. For example: <computeroutput>mstsc
148	[fe80::1:2:3:4]:3389</computeroutput>
149	</para>
150	</listitem>
151
152	<listitem>
153	<para>
154	When connecting to localhost in order to test the
155	connection, the addresses
156	<computeroutput>localhost</computeroutput> and
157	<computeroutput>127.0.0.1</computeroutput> might not
158	work using <command>mstsc.exe</command>. Instead, the
159	address
160	<computeroutput>127.0.0.2[:3389]</computeroutput> has
161	to be used.
162	</para>
163	</listitem>
164
165	</itemizedlist>
166	</note>
167	</listitem>
168
169	<listitem>
170	<para>
171	On other systems, you can use the standard open source
172	<command>rdesktop</command> program. This ships with most
173	Linux distributions, but &product-name; also comes with a
174	modified variant of <command>rdesktop</command> for remote
175	USB support. See <xref linkend="usb-over-rdp" />.
176	</para>
177
178	<para>
179	With <command>rdesktop</command>, use a command line such as
180	the following:
181	</para>
182
183	<screen>rdesktop -a 16 -N 1.2.3.4:3389</screen>
184
185	<para>
186	Replace <computeroutput>1.2.3.4</computeroutput> with the
187	host IP address, and <computeroutput>3389</computeroutput>
188	with a different port, if necessary. The <computeroutput>-a
189	16</computeroutput> option requests a color depth of 16 bits
190	per pixel, which we recommend. For best performance, after
191	installation of the guest operating system, you should set
192	its display color depth to the same value. The
193	<computeroutput>-N</computeroutput> option enables use of
194	the NumPad keys.
195	</para>
196	</listitem>
197
198	<listitem>
199	<para>
200	The Remmina remote desktop client can be used with VRDP.
201	This application is included with some Linux distributions,
202	such as Debian and Ubuntu.
203	</para>
204	</listitem>
205
206	<listitem>
207	<para>
208	If you run the KDE desktop, you can use
209	<computeroutput>krdc</computeroutput>, the KDE RDP viewer. A
210	typical command line is as follows:
211	</para>
212
213	<screen>krdc rdp://1.2.3.4:3389</screen>
214
215	<para>
216	Replace <computeroutput>1.2.3.4</computeroutput> with the
217	host IP address, and <computeroutput>3389</computeroutput>
218	with a different port, if necessary. The "rdp://" prefix is
219	required with krdc to switch it into RDP mode.
220	</para>
221	</listitem>
222
223	<listitem>
224	<para>
225	With Sun Ray thin clients you can use
226	<command>uttsc</command>, which is part of the Sun Ray
227	Windows Connector package. See the Sun Ray documentation for
228	details.
229	</para>
230	</listitem>
231
232	</itemizedlist>
233
234	</sect2>
235
236	<sect2 id="vboxheadless">
237
238	<title>VBoxHeadless, the Remote Desktop Server</title>
239
240	<para>
241	While any VM started from the VirtualBox Manager is capable of
242	running virtual machines remotely, it is not convenient to have
243	to run the full-fledged GUI if you never want to have VMs
244	displayed locally in the first place. In particular, if you are
245	running server hardware whose only purpose is to host VMs, and
246	all your VMs are supposed to run remotely over VRDP, then it is
247	pointless to have a graphical user interface on the server at
248	all. This is especially true for Linux or Oracle Solaris hosts,
249	as the VirtualBox Manager comes with dependencies on the Qt and
250	SDL libraries. This is inconvenient if you would rather not have
251	the X Window system on your server at all.
252	</para>
253
254	<para>
255	&product-name; therefore comes with a front-end called
256	<computeroutput>VBoxHeadless</computeroutput>, which produces no
257	visible output on the host at all, but still can deliver VRDP
258	data. This front-end has no dependencies on the X Window system
259	on Linux and Oracle Solaris hosts.
260	</para>
261
262	<note>
263	<para>
264	Before &product-name; 1.6, the headless server was called
265	<computeroutput>VBoxVRDP</computeroutput>. For the sake of
266	backwards compatibility, the &product-name; installation still
267	installs an executable with that name as well.
268	</para>
269	</note>
270
271	<para>
272	To start a virtual machine with
273	<computeroutput>VBoxHeadless</computeroutput>, you have the
274	following options:
275	</para>
276
277	<itemizedlist>
278
279	<listitem>
280	<para>
281	Use the <command>VBoxManage</command> command, as follows:
282	</para>
283
284	<screen>VBoxManage startvm "VM name" --type headless</screen>
285
286	<para>
287	The <computeroutput>--type</computeroutput> option causes
288	&product-name; to use
289	<computeroutput>VBoxHeadless</computeroutput> as the
290	front-end to the internal virtualization engine, instead of
291	the Qt front-end.
292	</para>
293	</listitem>
294
295	<listitem>
296	<para>
297	Use the <command>VBoxHeadless</command> command, as follows:
298	</para>
299
300	<screen>VBoxHeadless --startvm <uuid\|name></screen>
301
302	<para>
303	This way of starting the VM helps troubleshooting problems
304	reported by <command>VBoxManage startvm</command>, because
305	you can sometimes see more detailed error messages,
306	especially for early failures before the VM execution is
307	started. In normal situations <command>VBoxManage
308	startvm</command> is preferred, since it runs the VM
309	directly as a background process which has to be done
310	explicitly when directly starting with
311	<computeroutput>VBoxHeadless</computeroutput>.
312	</para>
313	</listitem>
314
315	<listitem>
316	<para>
317	Start <computeroutput>VBoxHeadless</computeroutput> from the
318	VirtualBox Manager GUI, by pressing the Shift key when
319	starting a virtual machine or by selecting
320	<emphasis role="bold">Headless Start</emphasis> from the
321	<emphasis role="bold">Machine</emphasis> menu.
322	</para>
323	</listitem>
324
325	</itemizedlist>
326
327	<para>
328	When you use the <computeroutput>VBoxHeadless</computeroutput>
329	command to start a VM, the VRDP server will be enabled according
330	to the VM configuration. You can override the VM's setting using
331	<computeroutput>--vrde</computeroutput> command line parameter.
332	To enable the VRDP server, start the VM as follows:
333	</para>
334
335	<screen>VBoxHeadless --startvm <uuid\|name> --vrde on</screen>
336
337	<para>
338	To disable the VRDP server:
339	</para>
340
341	<screen>VBoxHeadless --startvm <uuid\|name> --vrde off</screen>
342
343	<para>
344	To have the VRDP server enabled depending on the VM
345	configuration, as for other front-ends:
346	</para>
347
348	<screen>VBoxHeadless --startvm <uuid\|name> --vrde config</screen>
349
350	<para>
351	This command is the same as the following:
352	</para>
353
354	<screen>VBoxHeadless --startvm <uuid\|name></screen>
355
356	<para>
357	If you start the VM with <command>VBoxManage startvm</command>
358	then the configuration settings of the VM are always used.
359	</para>
360
361	</sect2>
362
363	<sect2 id="headless-vm-steps">
364
365	<title>Step by Step: Creating a Virtual Machine on a Headless Server</title>
366
367	<para>
368	The following instructions describe how to create a virtual
369	machine on a headless server over a network connection. This
370	example creates a virtual machine, establishes an RDP connection
371	and installs a guest operating system. All of these tasks are
372	done without having to touch the headless server. You need the
373	following prerequisites:
374	</para>
375
376	<itemizedlist>
377
378	<listitem>
379	<para>
380	&product-name; on a server machine with a supported host
381	operating system. The &product-name; Extension Pack for the
382	VRDP server must be installed, see <xref linkend="vrde"/>.
383	The procedures assume a Linux server is used.
384	</para>
385	</listitem>
386
387	<listitem>
388	<para>
389	An ISO file accessible from the server, containing the
390	installation data for the guest operating system to install.
391	Windows XP is used in the example.
392	</para>
393	</listitem>
394
395	<listitem>
396	<para>
397	A terminal connection to that host through which you can
398	access a command line, such as
399	<computeroutput>ssh</computeroutput>.
400	</para>
401	</listitem>
402
403	<listitem>
404	<para>
405	An RDP viewer on the remote client. See
406	<xref
407	linkend="rdp-viewers" /> for examples.
408	</para>
409	</listitem>
410
411	</itemizedlist>
412
413	<para>
414	Note that on the server machine, since we will only use the
415	headless server, Qt and the X Window system are not required.
416	</para>
417
418	<orderedlist>
419
420	<listitem>
421	<para>
422	On the headless server, create a new virtual machine. For
423	example:
424	</para>
425
426	<screen>VBoxManage createvm --name "Windows XP" --ostype WindowsXP --register</screen>
427
428	<para>
429	If you do not specify
430	<computeroutput>--register</computeroutput>, you will have
431	to manually use the <command>registervm</command> command
432	later.
433	</para>
434
435	<para>
436	You do not need to specify
437	<computeroutput>--ostype</computeroutput>, but doing so
438	selects some sensible default values for certain VM
439	parameters. For example, the RAM size and the type of the
440	virtual network device. To get a complete list of supported
441	operating systems you can use the following command:
442	</para>
443
444	<screen>VBoxManage list ostypes</screen>
445	</listitem>
446
447	<listitem>
448	<para>
449	Make sure the settings for the VM are appropriate for the
450	guest operating system that we will install. For example:
451	</para>
452
453	<screen>VBoxManage modifyvm "Windows XP" --memory 256 --acpi on --boot1 dvd --nic1 nat</screen>
454	</listitem>
455
456	<listitem>
457	<para>
458	Create a virtual hard disk for the VM. For example, to
459	create a 10 GB virtual hard disk:
460	</para>
461
462	<screen>VBoxManage createhd --filename "WinXP.vdi" --size 10000</screen>
463	</listitem>
464
465	<listitem>
466	<para>
467	Add an IDE Controller to the new VM. For example:
468	</para>
469
470	<screen>VBoxManage storagectl "Windows XP" --name "IDE Controller"
471	--add ide --controller PIIX4</screen>
472	</listitem>
473
474	<listitem>
475	<para>
476	Set the VDI file you created as the first virtual hard disk
477	of the new VM. For example:
478	</para>
479
480	<screen>VBoxManage storageattach "Windows XP" --storagectl "IDE Controller"
481	--port 0 --device 0 --type hdd --medium "WinXP.vdi"</screen>
482	</listitem>
483
484	<listitem>
485	<para>
486	Attach the ISO file that contains the operating system
487	installation that you want to install later to the virtual
488	machine. This is done so that the VM can boot from it.
489	</para>
490
491	<screen>VBoxManage storageattach "Windows XP" --storagectl "IDE Controller"
492	--port 0 --device 1 --type dvddrive --medium /full/path/to/iso.iso</screen>
493	</listitem>
494
495	<listitem>
496	<para>
497	Enable the VirtualBox Remote Desktop Extension, the VRDP
498	server, as follows:
499	</para>
500
501	<screen>VBoxManage modifyvm "Windows XP" --vrde on</screen>
502	</listitem>
503
504	<listitem>
505	<para>
506	Start the virtual machine using the
507	<command>VBoxHeadless</command> command:
508	</para>
509
510	<screen>VBoxHeadless --startvm "Windows XP"</screen>
511
512	<para>
513	If the configuration steps worked, you should see a
514	copyright notice. If you are returned to the command line,
515	then something did not work correctly.
516	</para>
517	</listitem>
518
519	<listitem>
520	<para>
521	On the client machine, start the RDP viewer and connect to
522	the server. See <xref linkend="rdp-viewers" /> for details
523	of how to use various common RDP viewers.
524	</para>
525
526	<para>
527	The installation routine of your guest operating system
528	should be displayed in the RDP viewer.
529	</para>
530	</listitem>
531
532	</orderedlist>
533
534	</sect2>
535
536	<sect2 id="usb-over-rdp">
537
538	<title>Remote USB</title>
539
540	<para>
541	As a special feature additional to the VRDP support,
542	&product-name; also supports remote USB devices over the wire.
543	That is, an &product-name; guest that runs on one computer can
544	access the USB devices of the remote computer on which the VRDP
545	data is being displayed the same way as USB devices that are
546	connected to the actual host. This enables running of virtual
547	machines on an &product-name; host that acts as a server, where
548	a client can connect from elsewhere that needs only a network
549	adapter and a display capable of running an RDP viewer. When USB
550	devices are plugged into the client, the remote &product-name;
551	server can access them.
552	</para>
553
554	<para>
555	For these remote USB devices, the same filter rules apply as for
556	other USB devices. See <xref linkend="settings-usb" />. All you
557	have to do is specify Remote, or Any, when setting up these
558	rules.
559	</para>
560
561	<para>
562	Accessing remote USB devices is only possible if the RDP client
563	supports this extension. On Linux and Oracle Solaris hosts, the
564	&product-name; installation provides a suitable VRDP client
565	called <command>rdesktop-vrdp</command>. Recent versions of
566	<command>uttsc</command>, a client tailored for the use with Sun
567	Ray thin clients, also support accessing remote USB devices. RDP
568	clients for other platforms will be provided in future
569	&product-name; versions.
570	</para>
571
572	<para>
573	To make a remote USB device available to a VM,
574	<command>rdesktop-vrdp</command> should be started as follows:
575	</para>
576
577	<screen>rdesktop-vrdp -r usb -a 16 -N my.host.address</screen>
578
579	<para>
580	See <xref linkend="ts_usb-linux" /> for further details on how
581	to properly set up the permissions for USB devices. Furthermore
582	it is advisable to disable automatic loading of any host driver
583	on the remote host which might work on USB devices to ensure
584	that the devices are accessible by the RDP client. If the setup
585	was properly done on the remote host, plug and unplug events are
586	visible in the VBox.log file of the VM.
587	</para>
588
589	</sect2>
590
591	<sect2 id="vbox-auth">
592
593	<title>RDP Authentication</title>
594
595	<para>
596	For each virtual machine that is remotely accessible using RDP,
597	you can individually determine if and how client connections are
598	authenticated. For this, use the <command>VBoxManage
599	modifyvm</command> command with the
600	<option>--vrdeauthtype</option> option. See
601	<xref linkend="vboxmanage-modifyvm" />. The following methods of
602	authentication are available:
603	</para>
604
605	<itemizedlist>
606
607	<listitem>
608	<para>
609	The <emphasis role="bold">null</emphasis> method means that
610	there is no authentication at all. Any client can connect to
611	the VRDP server and thus the virtual machine. This is very
612	insecure and only to be recommended for private networks.
613	</para>
614	</listitem>
615
616	<listitem>
617	<para>
618	The <emphasis role="bold">external</emphasis> method
619	provides external authentication through a special
620	authentication library. &product-name; ships with two
621	special authentication libraries:
622	</para>
623
624	<orderedlist>
625
626	<listitem>
627	<para>
628	The default authentication library,
629	<computeroutput>VBoxAuth</computeroutput>, authenticates
630	against user credentials of the hosts. Depending on the
631	host platform, this means the following:
632	</para>
633
634	<itemizedlist>
635
636	<listitem>
637	<para>
638	On Linux hosts,
639	<computeroutput>VBoxAuth.so</computeroutput>
640	authenticates users against the host's PAM system.
641	</para>
642	</listitem>
643
644	<listitem>
645	<para>
646	On Windows hosts,
647	<computeroutput>VBoxAuth.dll</computeroutput>
648	authenticates users against the host's WinLogon
649	system.
650	</para>
651	</listitem>
652
653	<listitem>
654	<para>
655	On Mac OS X hosts,
656	<computeroutput>VBoxAuth.dylib</computeroutput>
657	authenticates users against the host's directory
658	service.
659	</para>
660	</listitem>
661
662	</itemizedlist>
663
664	<para>
665	In other words, the external method by default performs
666	authentication with the user accounts that exist on the
667	host system. Any user with valid authentication
668	credentials is accepted. For example, the username does
669	not have to correspond to the user running the VM.
670	</para>
671	</listitem>
672
673	<listitem>
674	<para>
675	An additional library called
676	<computeroutput>VBoxAuthSimple</computeroutput> performs
677	authentication against credentials configured in the
678	"extradata" section of a virtual machine's XML settings
679	file. This is probably the simplest way to get
680	authentication that does not depend on a running and
681	supported guest. The following steps are required:
682	</para>
683
684	<orderedlist>
685
686	<listitem>
687	<para>
688	Enable
689	<computeroutput>VBoxAuthSimple</computeroutput> with
690	the following command:
691	</para>
692
693	<screen>VBoxManage setproperty vrdeauthlibrary "VBoxAuthSimple"</screen>
694	</listitem>
695
696	<listitem>
697	<para>
698	To enable the library for a particular VM, you must
699	switch authentication to external, as follows:
700	</para>
701
702	<screen>VBoxManage modifyvm "VM name" --vrdeauthtype external</screen>
703
704	<para>
705	Replace <computeroutput><vm></computeroutput>
706	with the VM name or UUID.
707	</para>
708	</listitem>
709
710	<listitem>
711	<para>
712	You then need to configure users and passwords by
713	writing items into the machine's extradata. Since
714	the XML machine settings file, into whose
715	<computeroutput>extradata</computeroutput> section
716	the password needs to be written, is a plain text
717	file, &product-name; uses hashes to encrypt
718	passwords. The following command must be used:
719	</para>
720
721	<screen>VBoxManage setextradata "VM name" "VBoxAuthSimple/users/<user>" <hash></screen>
722
723	<para>
724	Replace <computeroutput><vm></computeroutput>
725	with the VM name or UUID,
726	<computeroutput><user></computeroutput> with
727	the user name who should be allowed to log in and
728	<computeroutput><hash></computeroutput> with
729	the encrypted password. As an example, to obtain the
730	hash value for the password
731	<computeroutput>secret</computeroutput>, you can use
732	the following command:
733	</para>
734
735	<screen>VBoxManage internalcommands passwordhash "secret"</screen>
736
737	<para>
738	This command will generate output similar to the
739	following:
740	</para>
741
742	<screen>2bb80d537b1da3e38bd30361aa855686bde0eacd7162fef6a25fe97bf527a25b</screen>
743
744	<para>
745	You then use <command>VBoxManage
746	setextradata</command> to store this value in the
747	machine's <computeroutput>extradata</computeroutput>
748	section.
749	</para>
750
751	<para>
752	As a combined example, to set the password for the
753	user <computeroutput>john</computeroutput> and the
754	machine <computeroutput>My VM</computeroutput> to
755	<computeroutput>secret</computeroutput>, use this
756	command:
757	</para>
758
759	<screen>VBoxManage setextradata "My VM" "VBoxAuthSimple/users/john"
760	2bb80d537b1da3e38bd30361aa855686bde0eacd7162fef6a25fe97bf527a25b</screen>
761	</listitem>
762
763	</orderedlist>
764	</listitem>
765
766	</orderedlist>
767	</listitem>
768
769	<listitem>
770	<para>
771	The <emphasis role="bold">guest</emphasis> authentication
772	method performs authentication with a special component that
773	comes with the Guest Additions. As a result, authentication
774	is not performed on the host, but with the guest user
775	accounts.
776	</para>
777
778	<para>
779	This method is currently still in testing and not yet
780	supported.
781	</para>
782	</listitem>
783
784	</itemizedlist>
785
786	<para>
787	In addition to the methods described above, you can replace the
788	default external authentication module with any other module.
789	For this, &product-name; provides a well-defined interface that
790	enables you to write your own authentication module. This is
791	described in detail in the &product-name; Software Development
792	Kit (SDK) reference. See <xref linkend="VirtualBoxAPI" />.
793	</para>
794
795	</sect2>
796
797	<sect2 id="vrde-crypt">
798
799	<title>RDP Encryption</title>
800
801	<para>
802	RDP features data stream encryption, which is based on the RC4
803	symmetric cipher, with keys up to 128-bit. The RC4 keys are
804	replaced at regular intervals, every 4096 packets.
805	</para>
806
807	<para>
808	RDP provides the following different authentication methods:
809	</para>
810
811	<itemizedlist>
812
813	<listitem>
814	<para>
815	<emphasis role="bold">RDP4</emphasis> authentication was
816	used historically. With RDP4, the RDP client does not
817	perform any checks in order to verify the identity of the
818	server it connects to. Since user credentials can be
819	obtained using a man in the middle (MITM) attack, RDP4
820	authentication is insecure and should generally not be used.
821	</para>
822	</listitem>
823
824	<listitem>
825	<para>
826	<emphasis role="bold">RDP5.1</emphasis> authentication
827	employs a server certificate for which the client possesses
828	the public key. This way it is guaranteed that the server
829	possess the corresponding private key. However, as this
830	hard-coded private key became public some years ago, RDP5.1
831	authentication is also insecure.
832	</para>
833	</listitem>
834
835	<listitem>
836	<para>
837	<emphasis role="bold">RDP5.2</emphasis> authentication uses
838	Enhanced RDP Security, which means that an external security
839	protocol is used to secure the connection. RDP4 and RDP5.1
840	use Standard RDP Security. The VRDP server supports Enhanced
841	RDP Security with TLS protocol and, as a part of TLS
842	handshake, sends the server certificate to the client.
843	</para>
844
845	<para>
846	The <computeroutput>Security/Method</computeroutput> VRDE
847	property sets the desired security method, which is used for
848	a connection. Valid values are as follows:
849	</para>
850
851	<itemizedlist>
852
853	<listitem>
854	<para>
855	<emphasis role="bold">Negotiate.</emphasis> Both
856	Enhanced (TLS) and Standard RDP Security connections are
857	allowed. The security method is negotiated with the
858	client. This is the default setting.
859	</para>
860	</listitem>
861
862	<listitem>
863	<para>
864	<emphasis role="bold">RDP.</emphasis> Only Standard RDP
865	Security is accepted.
866	</para>
867	</listitem>
868
869	<listitem>
870	<para>
871	<emphasis role="bold">TLS.</emphasis> Only Enhanced RDP
872	Security is accepted. The client must support TLS.
873	</para>
874
875	<para>
876	The OpenSSL library version determines which versions of
877	TLS are supported. The &product-name; clients include at
878	least Version 1.1.0 of the OpenSSL library. This library
879	supports TLS versions 1.0, 1.1, and 1.2. Some clients
880	might include newer versions of the OpenSSL library and
881	thus support additional TLS versions.
882	</para>
883	</listitem>
884
885	</itemizedlist>
886
887	<para>
888	For example, the following command enables a client to use
889	either Standard or Enhanced RDP Security connection:
890	</para>
891
892	<screen>vboxmanage modifyvm "VM name" --vrdeproperty "Security/Method=negotiate"</screen>
893
894	<para>
895	If the <computeroutput>Security/Method</computeroutput>
896	property is set to either Negotiate or TLS, the TLS protocol
897	will be automatically used by the server, if the client
898	supports TLS. However, in order to use TLS the server must
899	possess the Server Certificate, the Server Private Key and
900	the Certificate Authority (CA) Certificate. The following
901	example shows how to generate a server certificate.
902	</para>
903
904	<orderedlist>
905
906	<listitem>
907	<para>
908	Create a CA self signed certificate.
909	</para>
910
911	<screen>openssl req -new -x509 -days 365 -extensions v3_ca \
912	-keyout ca_key_private.pem -out ca_cert.pem</screen>
913	</listitem>
914
915	<listitem>
916	<para>
917	Generate a server private key and a request for signing.
918	</para>
919
920	<screen>openssl genrsa -out server_key_private.pem
921	openssl req -new -key server_key_private.pem -out server_req.pem</screen>
922	</listitem>
923
924	<listitem>
925	<para>
926	Generate the server certificate.
927	</para>
928
929	<screen>openssl x509 -req -days 365 -in server_req.pem \
930	-CA ca_cert.pem -CAkey ca_key_private.pem -set_serial 01 -out server_cert.pem</screen>
931	</listitem>
932
933	</orderedlist>
934
935	<para>
936	The server must be configured to access the required files.
937	For example:
938	</para>
939
940	<screen>vboxmanage modifyvm "VM name" \
941	--vrdeproperty "Security/CACertificate=path/ca_cert.pem"</screen>
942
943	<screen>vboxmanage modifyvm "VM name" \
944	--vrdeproperty "Security/ServerCertificate=path/server_cert.pem"</screen>
945
946	<screen>vboxmanage modifyvm "VM name" \
947	--vrdeproperty "Security/ServerPrivateKey=path/server_key_private.pem"</screen>
948	</listitem>
949
950	</itemizedlist>
951
952	<para>
953	As the client that connects to the server determines what type
954	of encryption will be used, with <command>rdesktop</command>,
955	the Linux RDP viewer, use the
956	<computeroutput>-4</computeroutput> or
957	<computeroutput>-5</computeroutput> options.
958	</para>
959
960	</sect2>
961
962	<sect2 id="vrde-multiconnection">
963
964	<title>Multiple Connections to the VRDP Server</title>
965
966	<para>
967	The VRDP server of &product-name; supports multiple simultaneous
968	connections to the same running VM from different clients. All
969	connected clients see the same screen output and share a mouse
970	pointer and keyboard focus. This is similar to several people
971	using the same computer at the same time, taking turns at the
972	keyboard.
973	</para>
974
975	<para>
976	The following command enables multiple connection mode:
977	</para>
978
979	<screen>VBoxManage modifyvm "VM name" --vrdemulticon on</screen>
980
981	</sect2>
982
983	<sect2 id="vrde-multimonitor">
984
985	<title>Multiple Remote Monitors</title>
986
987	<para>
988	To access two or more remote VM displays you have to enable the
989	VRDP multiconnection mode. See
990	<xref linkend="vrde-multiconnection"/>.
991	</para>
992
993	<para>
994	The RDP client can select the virtual monitor number to connect
995	to using the <computeroutput>domain</computeroutput> login
996	parameter (<computeroutput>-d</computeroutput>). If the
997	parameter ends with <computeroutput>@</computeroutput> followed
998	by a number, &product-name; interprets this number as the screen
999	index. The primary guest screen is selected with
1000	<computeroutput>@1</computeroutput>, the first secondary screen
1001	is <computeroutput>@2</computeroutput>, and so on.
1002	</para>
1003
1004	<para>
1005	The Microsoft RDP6 client does not let you specify a separate
1006	domain name. Instead, enter
1007	<computeroutput>domain\username</computeroutput> in the
1008	<emphasis role="bold">Username</emphasis> field. For example,
1009	<computeroutput>@2\name</computeroutput>.
1010	<computeroutput>name</computeroutput> must be supplied, and must
1011	be the name used to log in if the VRDP server is set up to
1012	require credentials. If it is not, you may use any text as the
1013	username.
1014	</para>
1015
1016	</sect2>
1017
1018	<sect2 id="vrde-videochannel">
1019
1020	<title>VRDP Video Redirection</title>
1021
1022	<para>
1023	The VRDP server can redirect video streams from the guest to the
1024	RDP client. Video frames are compressed using the JPEG algorithm
1025	allowing a higher compression ratio than standard RDP bitmap
1026	compression methods. It is possible to increase the compression
1027	ratio by lowering the video quality.
1028	</para>
1029
1030	<para>
1031	The VRDP server automatically detects video streams in a guest
1032	as frequently updated rectangular areas. As a result, this
1033	method works with any guest operating system without having to
1034	install additional software in the guest. In particular, the
1035	Guest Additions are not required.
1036	</para>
1037
1038	<para>
1039	On the client side, however, currently only the Windows 7 Remote
1040	Desktop Connection client supports this feature. If a client
1041	does not support video redirection, the VRDP server falls back
1042	to regular bitmap updates.
1043	</para>
1044
1045	<para>
1046	The following command enables video redirection:
1047	</para>
1048
1049	<screen>VBoxManage modifyvm "VM name" --vrdevideochannel on</screen>
1050
1051	<para>
1052	The quality of the video is defined as a value from 10 to 100
1053	percent, representing a JPEG compression level, where lower
1054	numbers mean lower quality but higher compression. The quality
1055	can be changed using the following command:
1056	</para>
1057
1058	<screen>VBoxManage modifyvm "VM name" --vrdevideochannelquality 75</screen>
1059
1060	</sect2>
1061
1062	<sect2 id="vrde-customization">
1063
1064	<title>VRDP Customization</title>
1065
1066	<para>
1067	With &product-name; it is possible to disable display output,
1068	mouse and keyboard input, audio, remote USB, or clipboard
1069	individually in the VRDP server.
1070	</para>
1071
1072	<para>
1073	The following commands change the corresponding server settings:
1074	</para>
1075
1076	<screen>VBoxManage modifyvm "VM name" --vrdeproperty Client/DisableDisplay=1
1077	VBoxManage modifyvm "VM name" --vrdeproperty Client/DisableInput=1
1078	VBoxManage modifyvm "VM name" --vrdeproperty Client/DisableUSB=1
1079	VBoxManage modifyvm "VM name" --vrdeproperty Client/DisableAudio=1
1080	VBoxManage modifyvm "VM name" --vrdeproperty Client/DisableClipboard=1
1081	VBoxManage modifyvm "VM name" --vrdeproperty Client/DisableUpstreamAudio=1</screen>
1082
1083	<para>
1084	To reenable a feature, use a similar command without the
1085	trailing 1. For example:
1086	</para>
1087
1088	<screen>VBoxManage modifyvm "VM name" --vrdeproperty Client/DisableDisplay=</screen>
1089
1090	</sect2>
1091
1092	</sect1>
1093
1094	<sect1 id="teleporting">
1095
1096	<title>Teleporting</title>
1097
1098	<para>
1099	&product-name; supports <emphasis>teleporting</emphasis>.
1100	Teleporting is moving a virtual machine over a network from one
1101	&product-name; host to another, while the virtual machine is
1102	running. This works regardless of the host operating system that
1103	is running on the hosts. You can teleport virtual machines between
1104	Oracle Solaris and Mac hosts, for example.
1105	</para>
1106
1107	<para>
1108	Teleporting requires that a machine be currently running on one
1109	host, which is called the <emphasis>source</emphasis>. The host to
1110	which the virtual machine will be teleported is called the
1111	<emphasis>target</emphasis>. The machine on the target is then
1112	configured to wait for the source to contact the target. The
1113	machine's running state will then be transferred from the source
1114	to the target with minimal downtime.
1115	</para>
1116
1117	<para>
1118	Teleporting happens over any TCP/IP network. The source and the
1119	target only need to agree on a TCP/IP port which is specified in
1120	the teleporting settings.
1121	</para>
1122
1123	<para>
1124	At this time, there are a few prerequisites for this to work, as
1125	follows:
1126	</para>
1127
1128	<itemizedlist>
1129
1130	<listitem>
1131	<para>
1132	On the target host, you must configure a virtual machine in
1133	&product-name; with exactly the same hardware settings as the
1134	machine on the source that you want to teleport. This does not
1135	apply to settings which are merely descriptive, such as the VM
1136	name, but obviously for teleporting to work, the target
1137	machine must have the same amount of memory and other hardware
1138	settings. Otherwise teleporting will fail with an error
1139	message.
1140	</para>
1141	</listitem>
1142
1143	<listitem>
1144	<para>
1145	The two virtual machines on the source and the target must
1146	share the same storage, hard disks as well as floppy disks and
1147	CD/DVD images. This means that they either use the same iSCSI
1148	targets or that the storage resides somewhere on the network
1149	and both hosts have access to it using NFS or SMB/CIFS.
1150	</para>
1151
1152	<para>
1153	This also means that neither the source nor the target machine
1154	can have any snapshots.
1155	</para>
1156	</listitem>
1157
1158	</itemizedlist>
1159
1160	<para>
1161	To configure teleporting, perform the following steps:
1162	</para>
1163
1164	<orderedlist>
1165
1166	<listitem>
1167	<para>
1168	On the <emphasis>target</emphasis> host, configure the virtual
1169	machine to wait for a teleport request to arrive when it is
1170	started, instead of actually attempting to start the machine.
1171	This is done with the following <command>VBoxManage</command>
1172	command:
1173	</para>
1174
1175	<screen>VBoxManage modifyvm <targetvmname> --teleporter on --teleporterport <port></screen>
1176
1177	<para>
1178	where <computeroutput><targetvmname></computeroutput> is
1179	the name of the virtual machine on the target host and
1180	<computeroutput><port></computeroutput> is a TCP/IP port
1181	number to be used on both the source and the target hosts. For
1182	example, use 6000. See
1183	<xref linkend="vboxmanage-modifyvm-teleport" />.
1184	</para>
1185	</listitem>
1186
1187	<listitem>
1188	<para>
1189	Start the VM on the target host. Instead of running, the VM
1190	shows a progress dialog, indicating that it is waiting for a
1191	teleport request to arrive.
1192	</para>
1193	</listitem>
1194
1195	<listitem>
1196	<para>
1197	Start the VM on the <emphasis>source</emphasis> host as usual.
1198	When it is running and you want it to be teleported, issue the
1199	following command on the source host:
1200	</para>
1201
1202	<screen>VBoxManage controlvm <sourcevmname> teleport --host <targethost> --port <port></screen>
1203
1204	<para>
1205	where <computeroutput><sourcevmname></computeroutput> is
1206	the name of the virtual machine on the source host, which is
1207	the machine that is currently running.
1208	<computeroutput><targethost></computeroutput> is the
1209	host or IP name of the target host on which the machine is
1210	waiting for the teleport request, and
1211	<computeroutput><port></computeroutput> must be the same
1212	number as specified in the command on the target host. See
1213	<xref linkend="vboxmanage-controlvm" />.
1214	</para>
1215	</listitem>
1216
1217	</orderedlist>
1218
1219	<para>
1220	For testing, you can also teleport machines on the same host. In
1221	that case, use localhost as the hostname on both the source and
1222	the target host.
1223	</para>
1224
1225	<note>
1226	<para>
1227	In rare cases, if the CPUs of the source and the target are very
1228	different, teleporting can fail with an error message, or the
1229	target may hang. This may happen especially if the VM is running
1230	application software that is highly optimized to run on a
1231	particular CPU without correctly checking that certain CPU
1232	features are actually present. &product-name; filters what CPU
1233	capabilities are presented to the guest operating system.
1234	Advanced users can attempt to restrict these virtual CPU
1235	capabilities with the <computeroutput>VBoxManage modifyvm
1236	--cpuid</computeroutput> command. See
1237	<xref linkend="vboxmanage-modifyvm-teleport" />.
1238	</para>
1239	</note>
1240
1241	</sect1>
1242
1243	</chapter>

注意: 瀏覽 TracBrowser 來幫助您使用儲存庫瀏覽器

source: vbox/trunk/doc/manual/en_US/user_Frontends.xml@ 76553

以其他格式下載: