NoMachine Support

Your questions answered

Knowledge Base

Searching in: Articles & FAQs
Filter the search results
Applies to:
Last update:
Searching in: Articles & FAQs
ID: AR06P00984
Applies to: NoMachine Server
Added on: 2018-06-20
Last update: 2019-12-13
How to configure a NoMachine server v. 6 or later to connect web sessions on localhost or on different hosts

This article applies to NoMachine v. 6 or later.

For previous versions, please refer to https://www.nomachine.com/AR07K00679.


Since v.6, all NoMachine servers except the free version support connections by the web, i.e. they include the Apache-based web server (nxhtd) and the NoMachine application to deploy sessions on the web (nxwebplayer/nxwebclient).

By default, the web player is configured to connect web sessions to the NoMachine server installed on the same host (localhost) by using NX protocol and port 4000. No further actions are required.

In some cases, for example when it's necessary to separate the web server host from the NoMachine server host because of company's policies, it can be necessary to configure the web player to contact the NoMachine server on a different host. Instructions are provided in this article at STEP 1.

If it's necessary to connect to more than one server, the most suitable setup is to create a multi-server environment managed by the Cloud Server which works as a single point of access to the federated servers ('child servers') and allows connections by the client and by the web as well. An alternative, not recommended but maintained for compatibility with the old model of NoMachine v. 5 , is to configure the web player to provide a list of servers to the end-users. This procedure is also explained below at STEP 1.

In order to make the web player to connect web sessions to the NoMachine server on a different port or by using the SSH protocol, it's necessary to make a manual configuration, see the STEP 2.

To connect to a NoMachine server on a different computer, and/or when the web player is configured to use a port different than default 4000 for NX protocol or 22 for SSH protocol and/or the nxhtd certificate is changed, it's mandatory to update the list of allowed hosts on web player localhost. Procedure is different when the web player is configured to connect to the server by NX protocol (default) or by SSH protocol. This is detailed at STEP 3.


 

Step 1 - how to
Connect web sessions to localhost or to an host different than localhost
Connect web sessions to a list of server hosts (including localhost or not)
Step 2 (optional) - how to
Configure the web player to use the NX protocol (default)
Configure the web player to use the SSH protocol (optional)
Step 3 - how to
Update the list of known hosts for connections by NX protocol
Update the list of known hosts for connections by SSH protocol

Step 1 - how to

1.1. Connect web sessions to localhost or to an host different than localhost

Edit the server configuration file, namely installationDirectory/etc/server.cfg

In: Section "Server" edit the 'Host' key and set IP or hostname of the server machine you want to connect to.


By default this section is set to:

Section "Server"

Name "Connection to localhost"
Host localhost
Protocol NX
Authentication password
Port 4000

EndSection


Change 'Host localhost' to point to the NoMachine server host you want to connect to, and give it a name by setting the 'Name' key. For example:

Section "Server"

Name "Testdrive"
Host testdrive.nomachine.com
Protocol NX
Authentication password
Port 4000

EndSection

 

1.2. Connect web sessions to a list of server hosts (including localhost or not)

Edit the server configuration file and create a new Section "Server" entry for each server host. If you keep the original Section "Server", users will be able to connect also to localhost.

Then specify a name for the new section and set IP or hostname of the additional server machine in the Host key.

For example, to connect to both localhost and to the server host testdrive.nomachine.com:

Section "Server"

Name "Default connection"
Host localhost
Protocol NX
Authentication password
Port 4000

EndSection


Section "Server"

Name "Testdrive"
Host testdrive.nomachine.com
Protocol NX
Authentication password
Port 4000

EndSection
 

When the user connects by the web, he/she will see both 'Default connection' and 'Testdrive' listed in the available connections.

 


Step 2 - How to configure the web player to use the NX or the SSH protocol to connect to the NoMachine server

2.1. Configure the web player to use the NX protocol (default)

By default, connections by web use the NX protocol. You can change it to use the SSH protocol be editing the 'Protocol' and 'Port' keys in the Section "Server".  Please see examples below.

Section "Server"

Name "Default connection"
Host localhost
Protocol NX
Authentication password
Port 4000

EndSection

 

2.2. Configure the web player to use the SSH protocol (optional)

You can configure the web player to use the SSH protocol be editing the 'Protocol' and 'Port' keys in the Section "Server".

On Linux and macOS, for localhost:

Section "Server"

Name "Default connection"
Host localhost
Protocol system
Authentication password
Port 22

EndSection
 

for a different host, e.g. testdrive:

Section "Server"

Name "Testdrive"
Host testdrive.nomachine.com
Protocol system
Authentication password
Port  22

EndSection

On Windows, the default port for SSH connections is 4022. So, for localhost:

Section "Server"

Name "Default connection"
Host localhost
Protocol system
Authentication password
Port 4022

EndSection

or a different host, e.g. testdrive:

Section "Server"

Name "Testdrive"
Host testdrive.nomachine.com
Protocol system
Authentication password
Port  4022

EndSection


Step 3 - how to update the list of known hosts

Updating the list of known hosts is required when:

i) web player connects to a NoMachine server on a host different than localhost.

ii) a port different than default 4000 for NX protocol or 22 for SSH protocol is set.
For more information on this case see: https://www.nomachine.com/AR06N00888

iii) the certificate is changed.

In this article we focus on connecting web sessions on different hosts (i), but the procedure applies to all cases.
 

3.1. Update the list of known hosts for connections by NX protocol

In case of connection by NX protocol, it's necessary to update the list of allowed hosts in the client.crt default certificate on the main NoMachine server machine. Current versions still require to run a manual procedure. 

Premises:

- Instructions below assume that the additional server host is testdrive.nomachine.com.

- These instructions must be run on the machine where the main NoMachine server is installed.

- They must be executed for each of the server machines that are specified in the Section "Server" directive in the server.cfg file.

 

Instructions:

1) On the main NoMachine server host, move to the home of nxhtd user.

Home of nxhtd user is placed at:

/var/NX/nxhtd/ on Linux

%PROGRAMDATA%/NoMachine/nxhtd on Windows

/Library/Application Support/NoMachine/var/nxhtd/ on Mac OS X

Move then to the  .nx/config/ directory placed under 'nxhtd'.

2) Make a copy of the original client.crt file.

On Linux and macOS, you can execute the cp command from a terminal:
cp -p client.crt client.crt.ori

On Windows:
use the right mouse click to perform copy and paste of the file.

3) Copy the nxd certificate from the additional NoMachine server host (testdrive.nomachine.com) to the main NoMachine server host in the .nx/config/ directory under the home of nxhtd user.

On Linux and macOS copy the nxd certificate from testdrive.nomachine.com to your main NoMachine server host:
scp root@testdrive.nomachine.com:/usr/NX/etc/keys/host/nx_host_rsa_key.crt .

On Windows:
you can use a graphic scp tool. e.g. WinSCP (https://winscp.net).

4) On the main NoMachine server host, add the additional server to client.crt:

Host:testdrive.nomachine.com

On Linux and macOS you can use this command:
echo "Host:testdrive.nomachine.com" >> client.crt

On Windows:
open the client.crt file in a text editor and append this line to the end of file.

5) Then ensure that the main NoMachine server can connect by NX protocol to the additional server by adding to client.crt the nxd certificate previously copied (point 3).

On Linux and macOS:
cat nx_host_rsa_key.crt >> client.crt

On Windows:
use the text editor to open the nx_host_rsa_key.crt file and append it to the client.crt file.

6) On Linux and Mac, set correct permissions and ownership for your new client.crt file:

 # chmod 600 client.crt
 # chown nxhtd:nxhtd  client.crt

7) You can then delete the nx_host_rsa_key.crt file.

On Linux and macOS:

 # rm nx_host_rsa_key.crt

On Windows use the right mouse click to delete files.
 

If the additional server is part of a NoMachine failover cluster (two NoMachine servers in a HA failover cluster), the main NoMachine server has to connect to the shared IP of the failover cluster.

In this case follow this procedure. Instructions are for Linux but can easily extended to Mac and Windows according to the procedure above:

1) Move to the home of nxhtd user and go to .nx/config/ directory.

2) Make a copy of the original client.crt file:

cp -p client.crt client.crt.ori

3) Copy the cluster certificate from the additional NoMachine server host (clusterip.nomachine.com) to the main NoMachine server host:

scp root@clusterip.nomachine.com:/usr/NX/etc/keys/host/nx_cluster_rsa_key.crt ./

4) Add the shared IP of the failover cluster server to client.crt:

echo "Host:clusterip.nomachine.com" >> client.crt

5) Ensure that the main NoMachine server can connect by NX protocol to the additional server by adding to client.crt the cluster certificate previously copied (point 3):

cat nx_cluster_rsa_key.crt >> client.crt

6) Set correct permissions and ownership for client.crt file:

chmod 600 client.crt
chown nxhtd:nxhtd  client.crt

7) You can then delete the nx_cluster_rsa_key.crt file:

rm nx_cluster_rsa_key.crt

 

3.2. Update the list of known hosts for connections by SSH protocol

In case of connection by SSH protocol, to connect via web and SSH protocol to another server than localhost, it's necessary to update the list of allowed hosts in the known_hosts file on the main NoMachine server machine. Current versions still requires to run a manual procedure.


Premises:

- Instructions below refer to Linux and assume that the additional server host is testdrive.nomachine.com.

- These instructions must be run on the machine where the main NoMachine server is installed.

- They must be executed for each of the server machines that are specified in the Section "Server" directive in the server.cfg file.

 

Instructions:

1) Move to the home of nxhtd user and go to the .ssh directory.

Home of nxhtd user is placed at:

/var/NX/nxhtd on Linux

/Library/Application Support/NoMachine/var/nxhtd on macOS

%PROGRAMDATA%/NoMachine/nxhtd on Windows

2) Make a copy of the original known_hosts file.

On Linux and macOS, you can execute commands from a terminal:
cp -p known_hosts  known_hosts.ori

On Windows:
right mouse click to copy the file.

3) Then execute the ssh-keyscan tool for building and verifying ssh_known_hosts files.

On Linux and macOS:
ssh-keyscan -p 22 -t rsa,dsa testdrive.nomachine.com >> known_hosts

where 22 is the default port for SSH connections unless the SSH server (SSHD) has been configured for listening on a different port and testdrive.nomachine.com is the remote server host that you want to connect via the main NoMachine server.

On Windows:
ssh-keyscan -p 4022 -t rsa,dsa testdrive.nomachine.com >> known_hosts

On Windows, the default port for SSH connections is 4022.

Notes:

1) The ssh-keyscan tool is available in Windows 10 and 2019 as being part of OpenSSH: https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_overview.

For previous Windows versions, install the OpenSSH suite. Ref. https://github.com/PowerShell/Win32-OpenSSH/releases

2) Manual procedure if the ssh-keyscan tool is not available.

Instructions:

STEP 1 - On the second server host, enter the .ssh directory in the home of the nxhtd user:

/var/NX/nxhtd/ on Linux
%PROGRAMDATA%/NoMachine/nxhtd on Windows
/Library/Application Support/NoMachine/var/nxhtd/ on Mac OS X

and copy the ssh public keys from known_hosts file of localhost, e.g.

127.0.0.1 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCyo/yPISUfvW0xZwKHXexX9mLRkc4t0fL17oOq43sVA9pNQNMeP5ySLHpLDC/G3G+o6Os/0xFHM15ybEexWDR0ByfZ9SrYx [...]

STEP 2 - On the main server host, add these keys to the known_host file in the .ssh directory in the home of the nxhtd user.
IMPORTANT: specify the IP of the machine from which you copied the keys.. So, for example, if the IP of such machine is 10.0.1.141, when you copy the keys to known_host you have to specify it:

10.0.1.141 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCyo/yPISUfvW0xZwKHXexX9mLRkc4t0fL17oOq43sVA9pNQNMeP5ySLHpLDC/G3G+o6Os/0xFHM15ybEexWDR0ByfZ9SrYx [...]

This ip, 10.0.1.141, is also the IP specified in the Section "Server" of server.cfg to instruct the web player to connect to it. For example:

Section "Server"

Name "NoMachine on Windows"
Host 10.0.1.141
Protocol system
Authentication password
Port  4022

EndSection


Further information about installing and configuring NoMachine servers is available in the correspondent guide at:

https://www.nomachine.com/all-documents