VirtualBox

source: vbox/trunk/doc/manual/en_US/user_Frontends.xml@ 69476

Last change on this file since 69476 was 69476, checked in by vboxsync, 7 years ago

manual/*xml: svn:eol-style=native

  • Property svn:eol-style set to native
File size: 41.4 KB
Line 
1<?xml version="1.0" encoding="UTF-8"?>
2<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
3"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
4<chapter>
5 <title>Remote virtual machines</title>
6
7 <sect1 id="vrde">
8 <title>Remote display (VRDP support)</title>
9
10 <para>VirtualBox can display virtual machines remotely, meaning that a
11 virtual machine can execute on one computer even though the machine will be
12 displayed on a second computer, and the machine will be controlled from
13 there as well, as if the virtual machine was running on that second
14 computer.</para>
15
16 <para>For maximum flexibility, starting with VirtualBox 4.0, VirtualBox
17 implements remote machine display through a generic extension interface,
18 the VirtualBox Remote Desktop Extension (VRDE). The base open-source
19 VirtualBox package only provides this interface, while implementations can
20 be supplied by third parties with VirtualBox extension packages, which
21 must be installed separately from the base package. See <xref
22 linkend="intro-installing" /> for more information.</para>
23
24 <para>Oracle provides support for the <emphasis role="bold">VirtualBox
25 Remote Display Protocol (VRDP)</emphasis> in such a VirtualBox extension
26 package. When this package is installed, VirtualBox versions 4.0 and later
27 support VRDP the same way as binary (non-open-source) versions of
28 VirtualBox before 4.0 did.</para>
29
30 <para>VRDP is a backwards-compatible extension to Microsoft's Remote
31 Desktop Protocol (RDP). As a result, you can use any standard RDP client
32 to control the remote VM.</para>
33
34 <para>Even when the extension is installed, the VRDP server is disabled by
35 default. It can easily be enabled on a per-VM basis either in the
36 VirtualBox Manager in the "Display" settings (see <xref
37 linkend="settings-display" />) or with
38 <computeroutput>VBoxManage</computeroutput>:<screen>VBoxManage modifyvm "VM name" --vrde on</screen></para>
39
40 <para>By default, the VRDP server uses TCP port
41 <computeroutput>3389</computeroutput>. You will need to change the
42 default port if you run more than one VRDP server, since the port can
43 only be used by one server at a time; you might also need to change it
44 on Windows hosts since the default port might already be used by the RDP
45 server that is built into Windows itself. Ports 5000 through 5050 are
46 typically not used and might be a good choice.</para>
47
48 <para>The port can be changed either in the "Display" settings of the
49 graphical user interface or with
50 <computeroutput>--vrdeport</computeroutput> option of the
51 <computeroutput>VBoxManage modifyvm</computeroutput> command. You can
52 specify a comma-separated list of ports or ranges of ports. Use a dash
53 between two port numbers to specify a range. The VRDP server will bind
54 to <emphasis role="bold">one</emphasis> of available ports from the
55 specified list. For example, <computeroutput>VBoxManage modifyvm "VM
56 name" --vrdeport 5000,5010-5012</computeroutput> will configure the
57 server to bind to one of the ports 5000, 5010, 5011 or 5012. See <xref
58 linkend="vboxmanage-modifyvm-vrde" /> for details.</para>
59
60 <para>The actual port used by a running VM can be either queried with
61 <computeroutput>VBoxManage showvminfo</computeroutput> command or seen
62 in the GUI on the "Runtime" tab of the "Session Information Dialog",
63 which is accessible via the "Machine" menu of the VM window.</para>
64
65 <para>Support for IPv6 has been implemented in VirtualBox 4.3.
66 If the host OS supports IPv6 the VRDP server will automatically
67 listen for IPv6 connections in addition to IPv4.</para>
68
69 <sect2 id="rdp-viewers">
70 <title>Common third-party RDP viewers</title>
71
72 <para>Since VRDP is backwards-compatible to RDP, you can use any
73 standard RDP viewer to connect to such a remote virtual machine
74 (examples follow below). For this to work, you must specify the
75 <emphasis role="bold">IP address</emphasis> of your
76 <emphasis>host</emphasis> system (not of the virtual machine!) as the
77 server address to connect to, as well as the <emphasis role="bold">port
78 number</emphasis> that the VRDP server is using.</para>
79
80 <para>Here follow examples for the most common RDP viewers:<itemizedlist>
81 <listitem>
82 <para>On Windows, you can use the Microsoft Terminal Services
83 Connector (<computeroutput>mstsc.exe</computeroutput>) that ships
84 with Windows. You can start it by bringing up the "Run" dialog
85 (press the Windows key and "R") and typing "mstsc". You can also
86 find it under "Start" &rarr; "All Programs" &rarr; "Accessories"
87 &rarr; "Remote Desktop Connection". If you use the "Run" dialog,
88 you can type in options directly:<screen>mstsc 1.2.3.4:3389</screen></para>
89
90 <para>Replace <computeroutput>1.2.3.4</computeroutput> with the host IP address,
91 and <computeroutput>3389</computeroutput> with a different port if necessary.</para>
92
93 <note>
94 <para>IPv6 address must be enclosed in square brackets to specify a port.
95 For example: <computeroutput>mstsc [fe80::1:2:3:4]:3389</computeroutput></para>
96 </note>
97
98 <note>
99 <para>When connecting to localhost in order to test the
100 connection, the addresses
101 <computeroutput>localhost</computeroutput> and
102 <computeroutput>127.0.0.1</computeroutput> might not work using
103 <computeroutput>mstsc.exe</computeroutput>. Instead, the address
104 <computeroutput>127.0.0.2[:3389]</computeroutput> has to be
105 used.</para>
106 </note>
107 </listitem>
108
109 <listitem>
110 <para>On other systems, you can use the standard open-source
111 <computeroutput>rdesktop</computeroutput> program. This ships with
112 most Linux distributions, but VirtualBox also comes with a
113 modified variant of rdesktop for remote USB support (see <xref
114 linkend="usb-over-rdp" /> below).</para>
115
116 <para>With rdesktop, use a command line such as the
117 following:<screen>rdesktop -a 16 -N 1.2.3.4:3389</screen></para>
118
119 <para>As said for the Microsoft viewer above, replace <computeroutput>1.2.3.4</computeroutput>
120 with the host IP address, and <computeroutput>3389</computeroutput> with a different port if
121 necessary. The <computeroutput>-a 16</computeroutput> option
122 requests a color depth of 16 bits per pixel, which we recommend.
123 (For best performance, after installation of the guest operating
124 system, you should set its display color depth to the same value).
125 The <computeroutput>-N</computeroutput> option enables use of the
126 NumPad keys.</para>
127 </listitem>
128
129 <listitem>
130 <para>If you run the KDE desktop, you might prefer
131 <computeroutput>krdc</computeroutput>, the KDE RDP viewer. The
132 command line would look like this:<screen>krdc rdp://1.2.3.4:3389</screen></para>
133
134 <para>Again, replace <computeroutput>1.2.3.4</computeroutput> with the host IP address,
135 and <computeroutput>3389</computeroutput> with a different port if necessary.
136 The "rdp://" bit is required with krdc to switch it into RDP mode.</para>
137 </listitem>
138
139 <listitem>
140 <para>With Sun Ray thin clients you can use
141 <computeroutput>uttsc</computeroutput>, which is part of the
142 Sun Ray Windows Connector package. See the corresponding
143 documentation for details.</para>
144 </listitem>
145 </itemizedlist></para>
146 </sect2>
147
148 <sect2 id="vboxheadless">
149 <title>VBoxHeadless, the remote desktop server</title>
150
151 <para>While any VM started from the VirtualBox Manager is capable of
152 running virtual machines remotely, it is not convenient to have to run
153 the full-fledged GUI if you never want to have VMs displayed locally in
154 the first place. In particular, if you are running server hardware whose
155 only purpose is to host VMs, and all your VMs are supposed to run
156 remotely over VRDP, then it is pointless to have a graphical user
157 interface on the server at all -- especially since, on a Linux or
158 Solaris host, the VirtualBox manager comes with dependencies on the Qt
159 and SDL libraries. This is inconvenient if you would rather not have the
160 X Window system on your server at all.</para>
161
162 <para>VirtualBox therefore comes with yet another front-end called
163 <computeroutput>VBoxHeadless</computeroutput>, which produces no visible
164 output on the host at all, but still can deliver VRDP data. This
165 front-end has no dependencies on the X Window system on Linux and
166 Solaris hosts.<footnote>
167 <para>Before VirtualBox 1.6, the headless server was called
168 <computeroutput>VBoxVRDP</computeroutput>. For the sake of backwards
169 compatibility, the VirtualBox installation still installs an
170 executable with that name as well.</para>
171 </footnote></para>
172
173 <para>To start a virtual machine with
174 <computeroutput>VBoxHeadless</computeroutput>, you have three
175 options:</para>
176
177 <itemizedlist>
178 <listitem>
179 <para>You can use <screen>VBoxManage startvm "VM name" --type headless</screen>The
180 extra <computeroutput>--type</computeroutput> option causes
181 VirtualBox to use <computeroutput>VBoxHeadless</computeroutput> as
182 the front-end to the internal virtualization engine instead of the
183 Qt front-end.</para>
184 </listitem>
185
186 <listitem>
187 <para>One alternative is to use
188 <computeroutput>VBoxHeadless</computeroutput> directly, as
189 follows:<screen>VBoxHeadless --startvm &lt;uuid|name&gt;</screen></para>
190
191 <para>This way of starting the VM helps troubleshooting problems
192 reported by <computeroutput>VBoxManage startvm ...</computeroutput>
193 because you can see sometimes more detailed error messages,
194 especially for early failures before the VM execution is started.
195 In normal situations <computeroutput>VBoxManage startvm</computeroutput>
196 is preferred since it runs the VM directly as a background process
197 which has to be done explicitly when directly starting
198 <computeroutput>VBoxHeadless</computeroutput>.</para>
199 </listitem>
200
201 <listitem>
202 <para>The other alternative is to start
203 <computeroutput>VBoxHeadless</computeroutput> from the VirtualBox
204 Manager GUI, by holding the Shift key when starting a virtual
205 machine or selecting <computeroutput>Headless Start</computeroutput>
206 from the <computeroutput>Machine</computeroutput> menu.
207 </para>
208 </listitem>
209 </itemizedlist>
210
211 <para>Since VirtualBox version 5.0, when you use
212 <computeroutput>VBoxHeadless</computeroutput> to start a VM,
213 the VRDP server will be enabled according to the VM configuration.
214 You can override the VM's setting using <computeroutput>--vrde</computeroutput>
215 command line parameter. To enable the VRDP server start the VM like
216 this:<screen>VBoxHeadless --startvm &lt;uuid|name&gt; --vrde on</screen>
217 and to disable it:<screen>VBoxHeadless --startvm &lt;uuid|name&gt; --vrde off</screen>
218 To have the VRDP server enabled depending on the VM configuration, as the
219 other front-ends would, you can still use:
220 <screen>VBoxHeadless --startvm &lt;uuid|name&gt; --vrde config</screen>
221 but this is the same as <screen>VBoxHeadless --startvm &lt;uuid|name&gt;</screen></para>
222
223 <para>If you start the VM with <computeroutput>VBoxManage startvm ...</computeroutput>
224 then the configuration settings of the VM are always used.</para>
225 </sect2>
226
227 <sect2>
228 <title>Step by step: creating a virtual machine on a headless
229 server</title>
230
231 <para>The following instructions may give you an idea how to create a
232 virtual machine on a headless server over a network connection. We will
233 create a virtual machine, establish an RDP connection and install a
234 guest operating system -- all without having to touch the headless
235 server. All you need is the following:</para>
236
237 <para><orderedlist>
238 <listitem>
239 <para>VirtualBox on a server machine with a supported host
240 operating system. The VirtualBox extension pack for the VRDP
241 server must be installed (see the previous section). For the
242 following example, we will assume a Linux server.</para>
243 </listitem>
244
245 <listitem>
246 <para>An ISO file accessible from the server, containing the
247 installation data for the guest operating system to install (we
248 will assume Windows XP in the following example).</para>
249 </listitem>
250
251 <listitem>
252 <para>A terminal connection to that host through which you can
253 access a command line (e.g. via
254 <computeroutput>ssh</computeroutput>).</para>
255 </listitem>
256
257 <listitem>
258 <para>An RDP viewer on the remote client; see <xref
259 linkend="rdp-viewers" /> above for examples.</para>
260 </listitem>
261 </orderedlist>Note again that on the server machine, since we will
262 only use the headless server, neither Qt nor SDL nor the X Window system
263 will be needed.</para>
264
265 <para><orderedlist>
266 <listitem>
267 <para>On the headless server, create a new virtual machine:</para>
268
269 <screen>VBoxManage createvm --name "Windows XP" --ostype WindowsXP --register</screen>
270
271 <para>Note that if you do not specify
272 <computeroutput>--register</computeroutput>, you will have to
273 manually use the <computeroutput>registervm</computeroutput>
274 command later.</para>
275
276 <para>Note further that you do not need to specify
277 <computeroutput>--ostype</computeroutput>, but doing so selects
278 some sane default values for certain VM parameters, for example
279 the RAM size and the type of the virtual network device. To get a
280 complete list of supported operating systems you can use</para>
281
282 <screen>VBoxManage list ostypes</screen>
283 </listitem>
284
285 <listitem>
286 <para>Make sure the settings for this VM are appropriate for the
287 guest operating system that we will install. For example:<screen>VBoxManage modifyvm "Windows XP" --memory 256 --acpi on --boot1 dvd --nic1 nat</screen></para>
288 </listitem>
289
290 <listitem>
291 <para>Create a virtual hard disk for the VM (in this case, 10 GB in
292 size):<screen>VBoxManage createhd --filename "WinXP.vdi" --size 10000</screen></para>
293 </listitem>
294
295 <listitem>
296 <para>Add an IDE Controller to the new VM:<screen>VBoxManage storagectl "Windows XP" --name "IDE Controller"
297 --add ide --controller PIIX4</screen></para>
298 </listitem>
299
300 <listitem>
301 <para>Set the VDI file created above as the first virtual hard
302 disk of the new VM:<screen>VBoxManage storageattach "Windows XP" --storagectl "IDE Controller"
303 --port 0 --device 0 --type hdd --medium "WinXP.vdi"</screen></para>
304 </listitem>
305
306 <listitem>
307 <para>Attach the ISO file that contains the operating system
308 installation that you want to install later to the virtual
309 machine, so the machine can boot from it:<screen>VBoxManage storageattach "Windows XP" --storagectl "IDE Controller"
310 --port 0 --device 1 --type dvddrive --medium /full/path/to/iso.iso</screen></para>
311 </listitem>
312
313 <listitem>
314 <para>Enable VirtualBox remote desktop extension (the VRDP server):
315 <screen>VBoxManage modifyvm "Windows XP" --vrde on</screen></para>
316 </listitem>
317
318 <listitem>
319 <para>Start the virtual machine using VBoxHeadless:<screen>VBoxHeadless --startvm "Windows XP"</screen></para>
320
321 <para>If everything worked, you should see a copyright notice. If,
322 instead, you are returned to the command line, then something went
323 wrong.</para>
324 </listitem>
325
326 <listitem>
327 <para>On the client machine, fire up the RDP viewer and try to
328 connect to the server (see <xref linkend="rdp-viewers" /> above
329 for how to use various common RDP viewers).</para>
330
331 <para>You should now be seeing the installation routine of your
332 guest operating system remotely in the RDP viewer.</para>
333 </listitem>
334 </orderedlist></para>
335 </sect2>
336
337 <sect2 id="usb-over-rdp">
338 <title>Remote USB</title>
339
340 <para>As a special feature on top of the VRDP support, VirtualBox
341 supports remote USB devices over the wire as well. That is, the
342 VirtualBox guest that runs on one computer can access the USB devices of
343 the remote computer on which the VRDP data is being displayed the same
344 way as USB devices that are connected to the actual host. This allows
345 for running virtual machines on a VirtualBox host that acts as a server,
346 where a client can connect from elsewhere that needs only a network
347 adapter and a display capable of running an RDP viewer. When USB devices
348 are plugged into the client, the remote VirtualBox server can access
349 them.</para>
350
351 <para>For these remote USB devices, the same filter rules apply as for
352 other USB devices, as described with <xref linkend="settings-usb" />.
353 All you have to do is specify "Remote" (or "Any") when setting up these
354 rules.</para>
355
356 <para>Accessing remote USB devices is only possible if the RDP client
357 supports this extension. On Linux and Solaris hosts, the VirtualBox
358 installation provides a suitable VRDP client called
359 <computeroutput>rdesktop-vrdp</computeroutput>. Recent versions of
360 <computeroutput>uttsc</computeroutput>, a client tailored for the use
361 with Sun Ray thin clients, also support accessing remote USB devices.
362 RDP clients for other platforms will be provided in future VirtualBox
363 versions.</para>
364
365 <para>To make a remote USB device available to a VM,
366 <computeroutput>rdesktop-vrdp</computeroutput> should be started as
367 follows:<screen>rdesktop-vrdp -r usb -a 16 -N my.host.address</screen>
368 Please refer to <xref linkend="ts_usb-linux" /> for further details on how
369 to properly set up the permissions for USB devices. Furthermore it is
370 advisable to
371 disable automatic loading of any host driver on the remote host which
372 might work on USB devices to ensure that the devices are accessible by
373 the RDP client. If the setup was properly done on the remote host,
374 plug/unplug events are visible on the VBox.log file of the VM.</para>
375 </sect2>
376
377 <sect2 id="vbox-auth">
378 <title>RDP authentication</title>
379
380 <para>For each virtual machine that is remotely accessible via RDP, you
381 can individually determine if and how client connections are
382 authenticated. For this, use <computeroutput>VBoxManage
383 modifyvm</computeroutput> command with the
384 <computeroutput>--vrdeauthtype</computeroutput> option; see <xref
385 linkend="vboxmanage-modifyvm" /> for a general introduction. Three
386 methods of authentication are available:<itemizedlist>
387 <listitem>
388 <para>The "null" method means that there is no authentication at
389 all; any client can connect to the VRDP server and thus the
390 virtual machine. This is, of course, very insecure and only to be
391 recommended for private networks.</para>
392 </listitem>
393
394 <listitem>
395 <para>The "external" method provides external authentication
396 through a special authentication library. VirtualBox ships with
397 two such authentication libraries:<orderedlist>
398 <listitem>
399 <para>The default authentication library,
400 <computeroutput>VBoxAuth</computeroutput>, authenticates
401 against user credentials of the hosts. Depending on the host
402 platform, this means:<itemizedlist>
403 <listitem>
404 <para>On Linux hosts,
405 <computeroutput>VBoxAuth.so</computeroutput>
406 authenticates users against the host's PAM
407 system.</para>
408 </listitem>
409
410 <listitem>
411 <para>On Windows hosts,
412 <computeroutput>VBoxAuth.dll</computeroutput>
413 authenticates users against the host's WinLogon
414 system.</para>
415 </listitem>
416
417 <listitem>
418 <para>On Mac OS X hosts,
419 <computeroutput>VBoxAuth.dylib</computeroutput>
420 authenticates users against the host's directory
421 service.<footnote>
422 <para>Support for Mac OS X was added in version
423 3.2.</para>
424 </footnote></para>
425 </listitem>
426 </itemizedlist></para>
427
428 <para>In other words, the "external" method per default
429 performs authentication with the user accounts that exist on
430 the host system. Any user with valid authentication
431 credentials is accepted, i.e. the username does not have to
432 correspond to the user running the VM.</para>
433 </listitem>
434
435 <listitem>
436 <para>An additional library called
437 <computeroutput>VBoxAuthSimple</computeroutput> performs
438 authentication against credentials configured in the
439 "extradata" section of a virtual machine's XML settings
440 file. This is probably the simplest way to get
441 authentication that does not depend on a running and
442 supported guest (see below). The following steps are
443 required:<orderedlist>
444 <listitem>
445 <para>Enable
446 <computeroutput>VBoxAuthSimple</computeroutput> with
447 the following command:</para>
448
449 <para><screen>VBoxManage setproperty vrdeauthlibrary "VBoxAuthSimple"</screen></para>
450 </listitem>
451
452 <listitem>
453 <para>To enable the library for a particular VM, you
454 must then switch authentication to external:<screen>VBoxManage modifyvm "VM name" --vrdeauthtype external</screen></para>
455
456 <para>Replace
457 <computeroutput>&lt;vm&gt;</computeroutput> with the
458 VM name or UUID.</para>
459 </listitem>
460
461 <listitem>
462 <para>You will then need to configure users and
463 passwords by writing items into the machine's
464 extradata. Since the XML machine settings file, into
465 whose "extradata" section the password needs to be
466 written, is a plain text file, VirtualBox uses hashes
467 to encrypt passwords. The following command must be
468 used:<screen>VBoxManage setextradata "VM name" "VBoxAuthSimple/users/&lt;user&gt;" &lt;hash&gt;</screen></para>
469
470 <para>Replace
471 <computeroutput>&lt;vm&gt;</computeroutput> with the
472 VM name or UUID,
473 <computeroutput>&lt;user&gt;</computeroutput> with the
474 user name who should be allowed to log in and
475 <computeroutput>&lt;hash&gt;</computeroutput> with the
476 encrypted password. As an example, to obtain the hash
477 value for the password "secret", you can use the
478 following command:<screen>VBoxManage internalcommands passwordhash "secret"</screen></para>
479
480 <para>This will print
481 <screen>2bb80d537b1da3e38bd30361aa855686bde0eacd7162fef6a25fe97bf527a25b</screen>
482 You can then use VBoxManage setextradata to store this
483 value in the machine's "extradata" section.</para>
484
485 <para>As example, combined together, to set the
486 password for the user "john" and the machine "My VM"
487 to "secret", use this command:<screen>VBoxManage setextradata "My VM" "VBoxAuthSimple/users/john"
488 2bb80d537b1da3e38bd30361aa855686bde0eacd7162fef6a25fe97bf527a25b</screen></para>
489 </listitem>
490 </orderedlist></para>
491 </listitem>
492 </orderedlist></para>
493 </listitem>
494
495 <listitem>
496 <para>Finally, the "guest" authentication method performs
497 authentication with a special component that comes with the Guest
498 Additions; as a result, authentication is not performed on the
499 host, but with the <emphasis>guest</emphasis> user
500 accounts.</para>
501
502 <para>This method is currently still in testing and not yet
503 supported.</para>
504 </listitem>
505 </itemizedlist></para>
506
507 <para>In addition to the methods described above, you can replace the
508 default "external" authentication module with any other module. For
509 this, VirtualBox provides a well-defined interface that allows you to
510 write your own authentication module. This is described in detail in the
511 VirtualBox Software Development Kit (SDK) reference; please see <xref
512 linkend="VirtualBoxAPI" /> for details.</para>
513 </sect2>
514
515 <sect2 id="vrde-crypt">
516 <title>RDP encryption</title>
517
518 <para>RDP features data stream encryption, which is based on the RC4
519 symmetric cipher (with keys up to 128bit). The RC4 keys are being
520 replaced in regular intervals (every 4096 packets).</para>
521
522 <para>RDP provides different authentication methods:<orderedlist>
523 <listitem>
524 <para>Historically, RDP4 authentication was used, with which the
525 RDP client does not perform any checks in order to verify the
526 identity of the server it connects to. Since user credentials can
527 be obtained using a "man in the middle" (MITM) attack, RDP4
528 authentication is insecure and should generally not be
529 used.</para>
530 </listitem>
531
532 <listitem>
533 <para>RDP5.1 authentication employs a server certificate for which
534 the client possesses the public key. This way it is guaranteed
535 that the server possess the corresponding private key. However, as
536 this hard-coded private key became public some years ago, RDP5.1
537 authentication is also insecure.</para>
538 </listitem>
539
540 <listitem>
541 <para>RDP5.2 authentication uses the Enhanced RDP Security, which
542 means that an external security protocol is used to secure the
543 connection. RDP4 and RDP5.1 use Standard RDP Security.
544 The VRDP server supports Enhanced RDP Security with TLS protocol and,
545 as a part of TLS handshake, sends the server certificate to the
546 client.</para>
547
548 <para>The <computeroutput>Security/Method</computeroutput> VRDE
549 property sets the desired security method, which is used for a
550 connection. Valid values are:<itemizedlist>
551 <listitem>
552 <para>
553 <computeroutput>Negotiate</computeroutput> - both Enhanced (TLS)
554 and Standard RDP Security connections are allowed. The security
555 method is negotiated with the client. This is the default setting.
556 </para>
557 </listitem>
558
559 <listitem>
560 <para>
561 <computeroutput>RDP</computeroutput> - only Standard RDP Security
562 is accepted.</para>
563 </listitem>
564
565 <listitem>
566 <para>
567 <computeroutput>TLS</computeroutput> - only Enhanced RDP Security
568 is accepted. The client must support TLS.</para>
569 </listitem>
570 </itemizedlist>
571 For example the following command allows a client to use either Standard
572 or Enhanced RDP Security connection:
573 <screen>vboxmanage modifyvm "VM name" --vrdeproperty "Security/Method=negotiate"</screen>
574 </para>
575
576 <para>If the <computeroutput>Security/Method</computeroutput> property is
577 set to either <computeroutput>Negotiate</computeroutput> or
578 <computeroutput>TLS</computeroutput>, the TLS protocol will be automatically
579 used by the server, if the client supports TLS. However, in order to use TLS
580 the server must possess the Server Certificate, the Server Private Key and the
581 Certificate Authority (CA) Certificate. The following example shows how to
582 generate a server certificate.<orderedlist>
583 <listitem>
584 <para>Create a CA self signed certificate:
585 <screen>openssl req -new -x509 -days 365 -extensions v3_ca \
586 -keyout ca_key_private.pem -out ca_cert.pem</screen></para>
587 </listitem>
588
589 <listitem>
590 <para>Generate a server private key and a request for signing:
591 <screen>openssl genrsa -out server_key_private.pem
592openssl req -new -key server_key_private.pem -out server_req.pem</screen></para>
593 </listitem>
594
595 <listitem>
596 <para>Generate the server certificate:
597 <screen>openssl x509 -req -days 365 -in server_req.pem \
598 -CA ca_cert.pem -CAkey ca_key_private.pem -set_serial 01 -out server_cert.pem</screen></para>
599 </listitem>
600 </orderedlist>
601 The server must be configured to access the required files:
602 <screen>vboxmanage modifyvm "VM name" \
603 --vrdeproperty "Security/CACertificate=path/ca_cert.pem"</screen>
604 <screen>vboxmanage modifyvm "VM name" \
605 --vrdeproperty "Security/ServerCertificate=path/server_cert.pem"</screen>
606 <screen>vboxmanage modifyvm "VM name" \
607 --vrdeproperty "Security/ServerPrivateKey=path/server_key_private.pem"</screen>
608 </para>
609 </listitem>
610 </orderedlist></para>
611
612 <para>As the client that connects to the server determines what type
613 of encryption will be used, with rdesktop, the Linux RDP viewer, use the
614 <computeroutput>-4</computeroutput> or
615 <computeroutput>-5</computeroutput> options.</para>
616 </sect2>
617
618 <sect2 id="vrde-multiconnection">
619 <title>Multiple connections to the VRDP server</title>
620
621 <para>The VRDP server of VirtualBox supports multiple simultaneous
622 connections to the same running VM from different clients. All connected
623 clients see the same screen output and share a mouse pointer and
624 keyboard focus. This is similar to several people using the same
625 computer at the same time, taking turns at the keyboard.</para>
626
627 <para>The following command enables multiple connection mode: <screen>VBoxManage modifyvm "VM name" --vrdemulticon on</screen></para>
628 </sect2>
629
630 <sect2 id="vrde-multimonitor">
631 <title>Multiple remote monitors</title>
632
633 <para>To access two or more remote VM displays you have to enable the
634 VRDP multiconnection mode (see <xref
635 linkend="vrde-multiconnection" />).</para>
636
637 <para>The RDP client can select the virtual monitor number to connect to
638 using the <computeroutput>domain</computeroutput> logon parameter
639 (<computeroutput>-d</computeroutput>). If the parameter ends with
640 <computeroutput>@</computeroutput> followed by a number, VirtualBox
641 interprets this number as the screen index. The primary guest screen is
642 selected with <computeroutput>@1</computeroutput>, the first secondary
643 screen is <computeroutput>@2</computeroutput>, etc.</para>
644
645 <para>The Microsoft RDP6 client does not let you specify a separate
646 domain name. Instead, use
647 <computeroutput>domain\username</computeroutput> in the
648 <computeroutput>Username:</computeroutput> field -- for example,
649 <computeroutput>@2\name</computeroutput>.
650 <computeroutput>name</computeroutput> must be supplied, and must be the
651 name used to log in if the VRDP server is set up to require credentials.
652 If it is not, you may use any text as the username.</para>
653 </sect2>
654
655 <sect2 id="vrde-videochannel">
656 <title>VRDP video redirection</title>
657
658 <para>Starting with VirtualBox 3.2, the VRDP server can redirect video
659 streams from the guest to the RDP client. Video frames are compressed
660 using the JPEG algorithm allowing a higher compression ratio than
661 standard RDP bitmap compression methods. It is possible to increase the
662 compression ratio by lowering the video quality.</para>
663
664 <para>The VRDP server automatically detects video streams in a guest as
665 frequently updated rectangular areas. As a result, this method works
666 with any guest operating system without having to install additional
667 software in the guest; in particular, the Guest Additions are not
668 required.</para>
669
670 <para>On the client side, however, currently only the Windows 7 Remote
671 Desktop Connection client supports this feature. If a client does not
672 support video redirection, the VRDP server falls back to regular bitmap
673 updates.</para>
674
675 <para>The following command enables video redirection: <screen>VBoxManage modifyvm "VM name" --vrdevideochannel on</screen></para>
676
677 <para>The quality of the video is defined as a value from 10 to 100
678 percent, representing a JPEG compression level (where lower numbers mean
679 lower quality but higher compression). The quality can be changed using
680 the following command: <screen>VBoxManage modifyvm "VM name" --vrdevideochannelquality 75</screen></para>
681 </sect2>
682
683 <sect2 id="vrde-customization">
684 <title>VRDP customization</title>
685
686 <para>With VirtualBox 4.0 it is possible to disable display output,
687 mouse and keyboard input, audio, remote USB or clipboard individually in
688 the VRDP server.</para>
689
690 <para>The following commands change corresponding server
691 settings:</para>
692
693 <screen>VBoxManage modifyvm "VM name" --vrdeproperty Client/DisableDisplay=1
694VBoxManage modifyvm "VM name" --vrdeproperty Client/DisableInput=1
695VBoxManage modifyvm "VM name" --vrdeproperty Client/DisableUSB=1
696VBoxManage modifyvm "VM name" --vrdeproperty Client/DisableAudio=1
697VBoxManage modifyvm "VM name" --vrdeproperty Client/DisableClipboard=1
698VBoxManage modifyvm "VM name" --vrdeproperty Client/DisableUpstreamAudio=1</screen>
699
700 <para>To reenable a feature use a similar command without the trailing
701 1. For example: <screen>VBoxManage modifyvm "VM name" --vrdeproperty Client/DisableDisplay=</screen></para>
702
703 <para>These properties were introduced with VirtualBox 3.2.10. However,
704 in the 3.2.x series, it was necessary to use the following commands to
705 alter these settings instead:</para>
706
707 <screen>VBoxManage setextradata "VM name" "VRDP/Feature/Client/DisableDisplay" 1
708VBoxManage setextradata "VM name" "VRDP/Feature/Client/DisableInput" 1
709VBoxManage setextradata "VM name" "VRDP/Feature/Client/DisableUSB" 1
710VBoxManage setextradata "VM name" "VRDP/Feature/Client/DisableAudio" 1
711VBoxManage setextradata "VM name" "VRDP/Feature/Client/DisableClipboard" 1</screen>
712
713 <para>To reenable a feature use a similar command without the trailing
714 1. For example: <screen>VBoxManage setextradata "VM name" "VRDP/Feature/Client/DisableDisplay"</screen></para>
715 </sect2>
716 </sect1>
717
718 <sect1 id="teleporting">
719 <title>Teleporting</title>
720
721 <para>Starting with version 3.1, VirtualBox supports "teleporting" -- that
722 is, moving a virtual machine over a network from one VirtualBox host to
723 another, while the virtual machine is running. This works regardless of
724 the host operating system that is running on the hosts: you can teleport
725 virtual machines between Solaris and Mac hosts, for example.</para>
726
727 <para>Teleporting requires that a machine be currently running on one
728 host, which is then called the <emphasis role="bold">"source"</emphasis>.
729 The host to which the virtual machine will be teleported will then be
730 called the <emphasis role="bold">"target"</emphasis>; the machine on the
731 target is then configured to wait for the source to contact the target.
732 The machine's running state will then be transferred from the source to
733 the target with minimal downtime.</para>
734
735 <para>Teleporting happens over any TCP/IP network; the source and the
736 target only need to agree on a TCP/IP port which is specified in the
737 teleporting settings.</para>
738
739 <para>At this time, there are a few prerequisites for this to work,
740 however:<orderedlist>
741 <listitem>
742 <para>On the target host, you must configure a virtual machine in
743 VirtualBox with exactly the same hardware settings as the machine on
744 the source that you want to teleport. This does not apply to
745 settings which are merely descriptive, such as the VM name, but
746 obviously for teleporting to work, the target machine must have the
747 same amount of memory and other hardware settings. Otherwise
748 teleporting will fail with an error message.</para>
749 </listitem>
750
751 <listitem>
752 <para>The two virtual machines on the source and the target must
753 share the same storage (hard disks as well as floppy and CD/DVD
754 images). This means that they either use the same iSCSI targets or
755 that the storage resides somewhere on the network and both hosts
756 have access to it via NFS or SMB/CIFS.</para>
757
758 <para>This also means that neither the source nor the target machine
759 can have any snapshots.</para>
760 </listitem>
761 </orderedlist></para>
762
763 <para>Then perform the following steps:<orderedlist>
764 <listitem>
765 <para>On the <emphasis>target</emphasis> host, configure the virtual
766 machine to wait for a teleport request to arrive when it is started,
767 instead of actually attempting to start the machine. This is done
768 with the following VBoxManage command:<screen>VBoxManage modifyvm &lt;targetvmname&gt; --teleporter on --teleporterport &lt;port&gt;</screen></para>
769
770 <para>where <computeroutput>&lt;targetvmname&gt;</computeroutput> is
771 the name of the virtual machine on the target host and
772 <computeroutput>&lt;port&gt;</computeroutput> is a TCP/IP port
773 number to be used on both the source and the target hosts. For
774 example, use 6000. For details, see <xref
775 linkend="vboxmanage-modifyvm-teleport" />.</para>
776 </listitem>
777
778 <listitem>
779 <para>Start the VM on the target host. You will see that instead of
780 actually running, it will show a progress dialog. indicating that it
781 is waiting for a teleport request to arrive.</para>
782 </listitem>
783
784 <listitem>
785 <para>Start the machine on the <emphasis>source</emphasis> host as
786 usual. When it is running and you want it to be teleported, issue
787 the following command on the source host:<screen>VBoxManage controlvm &lt;sourcevmname&gt; teleport --host &lt;targethost&gt; --port &lt;port&gt;</screen></para>
788
789 <para>where <computeroutput>&lt;sourcevmname&gt;</computeroutput> is
790 the name of the virtual machine on the source host (the machine that
791 is currently running),
792 <computeroutput>&lt;targethost&gt;</computeroutput> is the host or
793 IP name of the target host on which the machine is waiting for the
794 teleport request, and <computeroutput>&lt;port&gt;</computeroutput>
795 must be the same number as specified in the command on the target
796 host. For details, see <xref
797 linkend="vboxmanage-controlvm" />.</para>
798 </listitem>
799 </orderedlist></para>
800
801 <para>For testing, you can also teleport machines on the same host; in
802 that case, use "localhost" as the hostname on both the source and the
803 target host.<note>
804 <para>In rare cases, if the CPUs of the source and the target are very
805 different, teleporting can fail with an error message, or the target
806 may hang. This may happen especially if the VM is running application
807 software that is highly optimized to run on a particular CPU without
808 correctly checking that certain CPU features are actually present.
809 VirtualBox filters what CPU capabilities are presented to the guest
810 operating system. Advanced users can attempt to restrict these virtual
811 CPU capabilities with the <computeroutput>VBoxManage --modifyvm
812 --cpuid</computeroutput> command; see <xref
813 linkend="vboxmanage-modifyvm-teleport" />.</para>
814 </note></para>
815 </sect1>
816</chapter>
Note: See TracBrowser for help on using the repository browser.

© 2024 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette