Support for SSL client authentication for connections by NX protocol is available since the implementation of this feature request: http://www.nomachine.com/FR09M02964.

This article documents how to set up authorization of a specific client device by generating a certificate on the server side and transferring the public part to a selected client machine.

CONFIGURING NOMACHINE FOR SUPPORTING SSL CLIENT AUTHENTICATION

1) Edit the server configuration file (server.cfg), uncomment and activate the EnableNXClientAuthentication as it follows:

     EnableNXClientAuthentication 1

Once this key has been enabled, only connections from devices that have a valid certificate will be allowed. This change will be available for all new sessions and doesn't require to restart NoMachine server and services.

2) Generate the client side private key and certificate

On Linux:

$ LD_LIBRARY_PATH=/usr/NX/lib/ /usr/NX/bin/nxkeygen -k nx_client_rsa_key -c nx_client_rsa_key.crt

On MacOS:

$ LD_LIBRARY_PATH=/Applications/NoMachine.app/Contents/Frameworks/lib/ /Applications/NoMachine.app/Contents/Frameworks/bin/nxkeygen -k nx_client_rsa_key -c nx_client_rsa_key.crt

On Windows:

$ %PROGRAMFILES%/NoMachine/bin/nxkeygen -k nx_client_rsa_key -c nx_client_rsa_key.crt

3) Distribute the client key and certificate to the end-user.

Place the nx_client_rsa_key and nx_client_rsa_key.crt files in the $HOME/.nx/config directory on the end-user's device to have:

$HOME/.nx/config/nx_client_rsa_key
$HOME/.nx/config/nx_client_rsa_key.crt

4) Add the client certificate (nx_client_rsa_key.crt)  to the store file on the server (server.crt) 

The server side path to the store file is

on Linux:
/var/NX/nx/.nx/config/server.crt

on Mac:
/Library/Application Support/NoMachine/var/nx/.nx/config/server.crt 

on Windows:
C:/Users/nx/.nx/config/server.crt 

If the "config" directory doesn't exist, create it manually.

Then create an empty file named server.crt file. Administrative permissions are required.

For example on Linux:

touch /var/NX/nx/.nx/config/server.crt

Add the just generated client certificate (nx_client_rsa_key.crt) to the store file, server.crt.

Format of the server.crt file is:

Host:<IP>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
Host:
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
...

Where <IP> is the IP address of the client.

If <IP> is not provied, the certificate will be matched against whichever IP address.

Example of a server.crt file:

Host:10.0.2.250
-----BEGIN CERTIFICATE-----
MIIC9zCCAd+gAwIBAgIRAPQvPMRFM9jsvoR9yJhc9UAwDQYJKoZIhvcNAQELBQAw
KDESMBAGA1UECgwJTm9NYWNoaW5lMRIwEAYDVQQDDAlsb2NhbGhvc3QwIhgPMjAw
MDAxMDEwMDAwMDBaGA8yMDYwMDEwMTAwMDAwMFowKDESMBAGA1UECgwJTm9NYWNo
aW5lMRIwEAYDVQQDDAlsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQDgRHZcEpSLfb0Y2Wm/Lo8VjeZpbRwQHB3Pm+e+iZe5HHYlFf3QOE0O
EIVgZa9kDHnt+qk1lxXdN...........
-----END CERTIFICATE-----
Host:
-----BEGIN CERTIFICATE-----
MIIC9zCCAd+gAwIBAgIRAKZlvRQxNriyAIQyPNRyJlwwDQYJKoZIhvcNAQELBQAw
KDESMBAGA1UECgwJTm9NYWNoaW5lMRIwEAYDVQQDDAlsb2NhbGhvc3QwIhgPMjAw
MDAxMDEwMDAwMDBaGA8yMDYwMDEwMTAwMDAwMFowKDESMBAGA1UECgwJTm9NYWNo
aW5lMRIwEAYDVQQDDAls............
-----END CERTIFICATE-----

FURTHER INSTRUCTIONS FOR CONNECTIONS BY THE WEB

After having executed all changes explained above, connections by the web are no longer possible. To re-enable them: 

a) Generate server side private key and certificate 

On Linux:

$ LD_LIBRARY_PATH=/usr/NX/lib/ /usr/NX/bin/nxkeygen -k nx_webclient_rsa_key -c nx_webclient_rsa_key.crt

On MacOS:

$ LD_LIBRARY_PATH=/Applications/NoMachine.app/Contents/Frameworks/lib/ /Applications/NoMachine.app/Contents/Frameworks/bin/nxkeygen -k nx_webclient_rsa_key   -cnx_webclient_rsa_key.crt

On Windows:

$ %PROGRAMFILES%/NoMachine/bin/nxkeygen -k nx_webclient_rsa_key -c nx_webclient_rsa_key.crt
 

b) Move the private key and certificate files (nx_webclient_rsa_key and nx_webclient_rsa_key.crt) to the following directory:

on Linux:
/var/NX/nxhtd/.nx/config/

on Mac:
/Library/Application Support/NoMachine/var/nxhtd/.nx/config/

c) Add certificate from nxhtd to servers.crt by following instructions at point 3 and without  providing IP in Host value.

For example on linux:
# echo "Host:" >> /var/NX/nx/.nx/config/server.crt
# cat /var/NX/nxhtd/.nx/config/nx_webclient_rsa_key.crt >> /var/NX/nx/.nx/config/server.crt

NOTE FOR MULTI-NODE ENVIRONMENTS

In case of a multi node environment, no further operations are necessary.
 

CONFIGURING SUPPORT FOR SSL CLIENT AUTHENTICATION IN A NOMACHINE CLUSTER SERVER ENVIRONMENT

To provide communication between master and slave server it's necessary to perform the following operations.

a) Generate new server side private key and certificate.

On Linux:

$ LD_LIBRARY_PATH=/usr/NX/lib/ /usr/NX/bin/nxkeygen -k nx_cluster_rsa_key -c nx_cluster_rsa_key.crt

On MacOS:

$ LD_LIBRARY_PATH=/Applications/NoMachine.app/Contents/Frameworks/lib/ /Applications/NoMachine.app/Contents/Frameworks/bin/nxkeygen -k nx_cluster_rsa_key  -c nx_cluster_rsa_key.crt

On Windows:

$ %PROGRAMFILES%/NoMachine/bin/nxkeygen -k nx_cluster_rsa_key -c nx_cluster_rsa_key.crt

b) Enable on the master server host  the server configuration key 'EnableNXClientAuthentication' as per instructions at point 1.
 

c) Synchronize master and slave servers.

c1. Move the private key and certificate files (nx_cluster_rsa_key and nx_cluster_rsa_key.crt) to the following directory on the master host

on Linux:
/var/NX/nx/.nx/config/

on Mac:
/Library/Application Support/NoMachine/var/nx/.nx/config/

c4 Enable on the slave server host  the server configuration key 'EnableNXClientAuthentication' as per instructions at point 1.

FURTHER INSTRUCTIONS FOR CONNECTIONS BY THE WEB IN A CLUSTER ENVIRONMENT

To re-enable web connections copy the private key and certificate to the nxhtd/.nx/config directory on both the master and slave server hosts.

For example on Linux:
cp /var/NX/nx/.nx/config/nx_cluster_rsa_key* /var/NX/nxhtd/.nx/config/

or follow instructions at par. "FURTHER INSTRUCTIONS FOR CONNECTIONS BY THE WEB"