Welcome to the NoMachine Terminal Server - Installation and Configuration guide v. 7.

What is NoMachine Terminal Server for?
NoMachine Terminal Server is a standalone server that provides unlimited concurrent virtual desktops running on its host. Designed to offer individual instances of the remote desktop (terminal services), it provides users with their own separate desktop environment. With Terminal Server each user has his/her own desktop or application, and can store, manage files inside the session and even share his/her own resources with another user.

Available for Linux, the Terminal Server accepts connections via a browser (thanks to its built-in web server) or via NoMachine client.

Additionally, it can also be federated under a Cloud Server. This solution centralizes access to multiple NoMachine servers distributed across a LAN or WAN environment.

A Graphical Interface

A Graphical Interface
The NoMachine Terminal Server package includes a User Interface (UI) for administering the server and its services (Server settings).

Most common operations detailed in this guide can be performed by the NoMachine UI and the Server settings panel running on the local installation of the server.

More details about the Server UI can be found in the dedicated guide available in the Documents section at: https://www.nomachine.com/all-documents

The Terminal Server comes also with a client UI for running sessions and connecting to other remote desktops.

The server is fully operative once installed
Installation provides a fully operative NoMachine server with a default configuration suitable for the majority of environments. All the necessary services are automatically started.

A standalone server
NoMachine Terminal Server is a single server (standalone server), to all effects. Available for Linux only, it supports unlimited concurrent virtual desktops. A virtual desktop is an individual instance of the remote desktop. Sharing of a virtual desktop is also supported. The number of users is not limited.

A federated server
NoMachine Terminal Server can be also federated under a Cloud Server v. 7 which provides a single point of access to multiple server subsystems. In this case, it's possible configuring the Terminal Server to not accept direct connections. For more specific instructions about federating the Terminal Server, refer to the Cloud Server administrative's guide.

Document Conventions and Important Notices
The following conventions are used in this guide:

BaseDirectory
is the base directory where the NoMachine binaries and libraries are installed.
By default, BaseDirectory is: /usr.

InstallationDirectory
is: BaseDirectory/NX, i.e. /usr/NX.

The command line interface
NoMachine server and node programs have a command line interface to execute operations.

You need to be a privileged system user to access all these functionalities. These commands can be run from an xterm or similar using the sudo utility or as root.

On Linux invoke the 'nxserver' and 'nxnode' programs from /etc/NX, for example:

Online Resources
Visit the NoMachine Support Area to access a variety of online resources including the NoMachine Forums, tutorials and FAQs: https://www.nomachine.com/support

Find a list of all documents and tutorials: https://www.nomachine.com/all-documents

Use the Knowledge Base search engine to access articles, FAQs and self-help information: https://www.nomachine.com/knowledge-base

Leave Feedback About This guide
Our goal is to provide comprehensive and clear documentation for all NoMachine products. If you would like to send us your comments and suggestions, you can use the contact tool available at https://www.nomachine.com/contact-request, selecting Web Quality Feedback as your option.

Supported Operating Systems
Linux 32-bit and 64-bit
RHEL 4 to RHEL 8
SLED 10 to SLED 15
SLES 10 to SLES 15
openSUSE 10.x to openSUSE 15.x
Mandriva 2009 to Mandriva 2011
Fedora 10 to Fedora 31
Debian 4.0 to Debian 10
Ubuntu 8.04 to Ubuntu 20.04

Raspberry Pi 2/3/4 ARMv6/ARMv7/ARMv8

Hardware requirements
Intel Core2 Duo or AMD Athlon Dual-Core or equivalent
1 GB RAM
Network connection (either a LAN, or Internet link: broadband, cable, DSL, etc...)
Size required on disk:
Linux 195 MB

Software requirements
A desktop environment must already be installed. This applies also to headless Linux machines. Connections by the web and by NoMachine clients are supported.

Compatibility with older versions
Even if it's advisable to upgrade client installations to the same version 7 of the Terminal Server, compatibility with clients v. 6 and 5 is preserved.
Note also that when the Terminal Server works as a federated server, NoMachine Cloud Server v. 7 requires a client v. 7 or 6.

Installing for the first time
You can install, update and uninstall using the graphical package manager of your Linux distribution or from command line by running commands from an xterm or similar with the sudo utility, or as root user if you don't have sudo installed. Instructions below refer to installation by command line.

If you own a customer license we recommend you download the package from your Customer Area: https://www.nomachine.com/support#login.

Successive updates
The update procedure for server and node installations requires all NoMachine services to be stopped in order to correctly replace libraries and binaries. This implies that the Terminal Server is not accessible to users during the update procedure. Current sessions will be terminated, users will be able to connect again later.

There are two ways to update your current installation:

If you want to install to default location, namely /usr/NX/:

INSTALL

UPDATE

UNINSTALL

TIP

For non-default locations, for example /opt/NX:

INSTALL # rpm -ivh <pkgName>_<pkgVersion>_<arch>.rpm --prefix /opt UPDATE # rpm -Uvh <pkgName>_<pkgVersion>_<arch>.rpm --prefix /opt UNINSTALL # rpm -e nomachine-terminal-server

If you want to install to default location, namely /usr/NX/:

INSTALL

UPDATE

UNINSTALL

TIP

For non-default locations, for example /opt/NX:

INSTALL $ sudo NX_INSTALL_PREFIX=/opt dpkg -i <pkgName>_<pkgVersion>_<arch>.deb UPDATE $ sudo NX_INSTALL_PREFIX=/opt dpkg -i <pkgName>_<pkgVersion>_<arch>.deb UNINSTALL $ sudo dpkg -r nomachine-terminal-server

If you want to install to default location, namely /usr/NX/, ensure that package is placed there.

INSTALL

UPDATE

UNINSTALL

TIP

For non-default locations, for example /opt/NX:

INSTALL $ sudo NX_INSTALL_PREFIX=/opt /usr/NX/nxserver --install UPDATE $ sudo NX_INSTALL_PREFIX=/opt /usr/NX/nxserver --update UNINSTALL $ sudo /opt/NX/scripts/setup/nxserver --uninstall $ sudo rm -rf /opt/NX

Customer packages
include a temporary (30-days) node.lic and server.lic files for evaluation.
Such license files have to be replaced with the customer's license files acquired from NoMachine.via the NoMachine UI in Settings -> Server -> Updates panel: click on 'Server subscription' and 'Node subscription' to read the current license file. Click on 'Replace' button to activate a new license file.

TIP

Starting from version 7, the server will cease to work once the license is expired. Please contact your NoMachine provider or the Support Team for renewal options.

You can find a guide for UI usage in the Documents section on the NoMachine web site: https://www.nomachine.com/all-documents. Look for the keyword 'license' to find out in the knowledge base, section 'Articles' how to activate licenses manually: https://www.nomachine.com/knowledge-base.

To verify from command line that server.lic and node.lic are correctly in place and check their validity, you may run:

Pre-requisite: you need to have a valid account on the Terminal Server host, password cannot be empty. Your account can be a local account or a LDAP account or an AD account. NoMachine doesn't check if the source of users' account information is for example LDAP or local account database. Be sure to configure the login in advance.

Once installation is complete, Terminal Server is ready to go.

The end-user should point the browser on his/her device to:

http://SERVER:4080

Where SERVER is either the name or IP address of the host you want to reach.

E.g., if Terminal Server is installed on a host named 'myserver.com', the URL will look like this:

http://myserver.com:4080

Connection will be automatically switched to HTTPS protocol:

https://myserver.com:4443/nxwebplayer

In the login form, the end-user has to provide username and password of his/her system account on the Terminal Server host and connect.

TIPS
I	Auto-reconnection is supported: when the connection is lost for whatever reason (including when the browser's computer has entered sleep mode), the NoMachine web application will automatically try to reconnect for as long as the user keeps the web page open. If reconnecting is not possible, then the user will have to reconnect manually.
II	IPv6 is supported: specify the IP address of the server host in IPv6 format (e.g. 2001:0:5ef5:79fb:30c6:1516:3ca1:5695) if you want to use it instead of IPv4.

Install NoMachine Enterprise Client on your device. You can use also NoMachine free or whichever other server type, they all provide the client UI for connecting to remote computers.

You can find a step-by-step tutorial for creating virtual desktops the 'Tutorials' section at: https://www.nomachine.com/all-documents. If you're using the Enterprise Client, please see also its Installation and Configuration guide in the 'Installation' section at the same web page above.

TIPS
I	Auto-reconnection is supported: when the connection is lost for whatever reason (including when the client host has entered sleep mode), the client will automatically try to reconnect for as long as the user keeps the UI open. If reconnecting is not possible, then the user will have to reconnect manually.
II	IPv6 is supported: specify the IP address of the server host in IPv6 format (e.g. 2001:0:5ef5:79fb:30c6:1516:3ca1:5695) if you want to use it instead of IPv4.

To prevent NoMachine users from storing their credentials, use the EnableCredentialsStoring key in the server configuration file. The accepted values are:
player Only users connected via NoMachine client are enabled to save username and password in the connection file stored on their devices (computer, tablet etc ...)
webplayer Only users connected via browser can choose to save their access credentials. They are stored in the browser's cookie, given that the user's browser has cookies enabled.
both All users, regardless if connected via NoMachine client or via web, can store their credentials.
none Users cannot save their username and password. They will be requested to provide their log-in credentials at each connection.

For example, to allow only users connecting via NoMachine client to store credentials, set in the server configuration file:
EnableCredentialsStoring player

Auto-reconnection is supported for connections by NoMachine client and via web. When the connection is lost for whatever reason (including when the client or browser's computer has entered sleep mode), NoMachine will automatically try to reconnect for as long as the user keeps the UI or the web page open. If reconnecting is not possible, then the user will have to reconnect manually.

The automatic reconnection can be disabled in the server configuration file by editing (remove the pre-pending '#') the EnableClientAutoreconnect key. The accepted values are:
none Disable auto-reconnection for connections by NoMachine client and by the web.
NX Allow auto-reconnection for connections by NoMachine client and NX protocol.
SSH Allow auto-reconnection for connections by NoMachine client and SSH protocol.
HTTP Allow auto-reconnection for connections by the web

For example, to disable auto-reconnection for client and web, set:
EnableClientAutoreconnect none

To disable auto-reconnection only for web sessions, set:
EnableClientAutoreconnect NX,SSH

To disable auto-reconnection only for client sessions, set:
EnableClientAutoreconnect HTTP

To disable auto-reconnection only for client sessions via NX or SSH protocol, set respectively:
EnableClientAutoreconnect SSH
or:
EnableClientAutoreconnect NX

Changes will be effective for new sessions, restarting NoMachine is not necessary.

The configuration file for the web player program (which provides the graphical front-end) and the web client program (which manages web sessions) is server.cfg, located in the BaseDirectory/NX/etc directory: /usr/NX/etc/server.cfg.

Default settings
The Section "Server" directive defines settings for the NoMachine server(s) where the web player application will connect. This directive, by default, points to localhost and looks like:

Name is a label that can be displayed as an alternative to show hostname of the server. To change the name to be displayed, it's necessary to enable also the EnableWebConnectionName key in server.cfg: EnableWebConnectionName 1

Host is IP or hostname of the NoMachine server host.
If different than localhost, it's then necessary to update manually the list of known hosts as explained here: https://www.nomachine.com/AR06P00984

Protocol specifies the protocol, NX or SSH, that the web player will use to connect to the NoMachine server. Default is:

Protocol NX
Port 4000

Protocol system
Port 22

and for Windows:

Protocol system
Port 4022

Port indicates the listen port for the server, by default 4000 for connections by NX protocol, 22 for connections by SSH protocol on Linux and macOS and 4022 for connections by SSH on Windows.

This setting has to be changed only when NoMachine is configured to listen on a non-default port. Changing the port for web connections requires a manual procedure available here: https://www.nomachine.com/AR06N00888

Authentication defines the authentication method to be used when connecting by the web, by default 'password':

Protocol NX
Authentication password
and:

Protocol SSH
Authentication password

Key-based authentication is supported at the moment only for NX protocol, instructions to set it up are available here: https://www.nomachine.com/AR03Q01020

Changing protocol and port
By default the web application will connect to the NoMachine server by NX protocol on port 4000. Supported protocols are NX and SSH (by default on port 22).

To use the NX protocol (this is the default), set:

Protocol NX
Port 4000

To use SSH protocol, set:

Protocol system
Port 22

TIP

In order to change the port for NX protocol, change the port for the nxd service and restart it, see the paragraph 'Connecting by NX Protocol'. To change the port for connections by SSH it's instead necessary to modify the listen port for the SSH server on the system. When nxd or SSHD are listening on a port different than 4000 or 22 respectively, update the Port value in the Section "Server" and update manually the list of known hosts as explained here: https://www.nomachine.com/AR06P00984

Other settings in server.cfg specific for web sessions are qualified by the 'Web' keyboard in their name.

Showing hostname or a custom label
To display hostname or IP of the NoMachine Server host when connecting by the web, set the following key. This is the default:

EnableWebConnectionName 0

To display the label set in the 'Name' field of Section "Server" set:

EnableWebConnectionName 1

To not display the tutorial wizard for the menu panel at session startup, set:

EnableWebMenuTutorial 0

and to show it (this is the default):

EnableWebMenuTutorial 1

You can start and stop the NoMachine HTTP server (nxhtd)
from the Settings --> Server UI -> Ports panel.

From the NoMachine UI you can also change the port where the web server will be listening (by default 4080 and 4443 for secure connections).

Manual procedures
To change the nxhtd listen ports manually, follow the procedure described here: https://www.nomachine.com/AR12Q01065

To stop, start or restart nxhtd from command line:

Automatic restart of the nxhtd service
Each service is automatically restarted at the next boot. You can change the default behavior for the nxhtd service by setting:

The nxserver --startmode command operates on the StartHTTPDaemon server configuration key:

StartHTTPDaemon Automatic

and:

StartHTTPDaemon Manual

Disabling the starting of the NoMachine HTTP server
Edit the server configuration file and remove HTTP from the ClientConnectionMethods key. It should then look like:
ClientConnectionMethods NX,SSH

Then restart NoMachine server to make this change effective:

NoMachine Terminal Server is designed to provide a fully integrated service to deploy sessions on the web which doesn't require additional software to be installed or manual configuration. The minimal Apache web server, nxhtd, provides the necessary modules and is pre-configured to work with the web player application.

However, it is possible to run the web player application with an alternative Apache web server. Look for detailed instructions in our Knowledge Base, section Documents: https://www.nomachine.com/all-documents.

The implementation of WebRTC support in browser-based remote desktop sessions has inititally been released as beta and must be enabled explicitly by the administrator by editing the server.cfg file.

With the help of a STUN/TURN server for negotiating NAT traversal, peer-to-peer WebRTC communication can be established also when the web session has to be run behind a NAT.

STEP 1: Uncomment and set the AcceptedWebMethods key as follows to enable the use of WebRTC:

AcceptedWebMethods webrtc

STEP 2: If the node machine where the web session will be started is behind a NAT, you need to uncomment the following section in server.cfg:

Section "STUN"

Host hostname
Port portnumber
User username
Password password

EndSection

and provide relevant information to contact a STUN or TURN server. In this last case change Section name to "TURN".

Specific articles can be found in the Knowledge Base, https://www.nomachine.com/knowledge-base.

In the case of web sessions, by default, session data is streamed in video frames compressed and decompressed by using the MJPEG lossy algorithm, which is the video-format widely supported by browsers.

Oher video codecs like VP8 and H.264, require a browser which supports WebRTC and HTML5.

NoMachine web sessions use the H.264 video streaming when the following requirements are all met, otherwise VP8 is used. In practice, when WebRTC is enabled, the H.264 or VP8 encoding will be used, otherwise MJPEG will be used:

In practice, when WebRTC is enabled, the H.264 or VP8 encoding will be used (if the browser supports WebRTC), otherwise the classic web media exchange protocol will be used and MJPEG will be the codec.

TIP

H.264 hardware encoding is possible when the Terminal Server host machine has an hardware accelerated video cards (GPU) with Nvidia Kepler microarchitecture onward or Intel Quick Sync processors or AMD card (at the moment only on Windows). Enabling HW acceleration by Quick Sync requires however a manual configuration as explained here: https://www.nomachine.com/AR09O00938

Optimizations
Optimizations can be done in two ways: (I) by adjusting display settings in the session or (II) by enabling WebRTC.

TIP

You may verify which encoding method is in use from the NoMachine menu inside the session: press ctrl+alt+0 or click on the page peel in the upper right corner of the window to open it. Then click on the 'Display' button and finally on 'Display settings'. The codec actually on use is reported at the bottom left of the menu.

Sessions run by NoMachine client use a combination of video and image encoding based on standard codecs and a number of techniques developed by NoMachine. Frames are encoded into a video stream optimized by means of a compression and decompression algorithm of real-time image and audio data. VP8, H.264 and MJPEG encoding are supported.

In general VP8 and H.264 are suitable for all situations, while MJPEG can be an alternative when the end-user's computer is less powerful and the user is experiencing slow responsiveness.

The display encoder can be changed on the server:

from the UI
In the UI in the Server Performance panel.

or in the node configuration file
Enable the use of a specific codec by editing the node configuration file and enabling the following two keys:

EnableDisplayServerVideoCodec 1
DisplayServerVideoCodec CODEC

where CODEC can be: 'vp8','h264' or 'mjpeg'. For example:
EnableDisplayServerVideoCodec 1
DisplayServerVideoCodec mjpeg

The X11 vector graphics mode (previously called 'lightweight mode') is enabled by default for (i) virtual desktops and (ii) custom sessions in floating window mode. This mode is mainly a set of NoMachine techniques to compress and optimize the X11 protocol (by applying the same alghoritms available with the NX compression protocol v. 3). These compression techniques are applied to all non-video contents like textual elements, while multimedia contents are encoded in a video stream (VP8 or H.264).

The X11 vector graphics mode is useful for avoiding loss of image quality and in general is the best option when working with traditional UIs or a large amount of text. However it's not suggested for multimedia contents or applications with many graphical effects.

It also may help to reduce bandwidth usage, decrease the HW requirements on client and server (expensive video encoding/decoding operations are applied only to multimedia contents), increase responsiveness on slow link and end-users' clients without hardware accelerated video encoding/decoding capabilities.

You can disable/enable the X11 vector graphics mode
via the User Interface
in the Settings -> Server -> Performances panel

or in the node configuration file
Edit the node configuration file, uncomment and set the AgentX11VectorGraphics key (previously named 'AgentLightweightMode') to '0' for disabling the the X11 vector graphics mode:
AgentX11VectorGraphics 0

or to enable it:
AgentX11VectorGraphics 1

TIPS
I	In the case of slow bandwidth, decreasing the quality level of images could help but if you need to have a perfect image without quality loss, you have to increase the display quality instead. It's also suggested to disable multi-pass encoding to avoid the 'out of focus' effect: multi-pass is an encoding technique which uses multiple passes to reach progressively the best definition of the image.
II	Quality level and multi-pass encoding can be tuned from the NoMachine menu inside the session in the Display -> Change settings panel. (Ctrl+alt+0 or click on the right upper corner of the window to open the NoMachine menu).

In NoMachine virtual desktops and custom sessions, OpenGL rendering is done by default by software components. This means that rendering tasks are accomplished by CPU and not offloaded onto GPU. Such operations could be resource-demanding, especially in the case of 3D desktop graphics effects, and make the user interface look slow.

A possible alternative is to configure the NoMachine server to use the VirtualGL libraries (included in the NoMachine package) and therefore activate support for HW accelerated OpenGL applications. This allows OpenGL applications, namely 3D applications, to use server side graphics hardware.

In order to activate support for VirtualGL, follow instructions at http://www.nomachine.com/AR05P00982

The configuration file for the nxserver and nxweplayer/nxwebclient programs is server.cfg. The configuration file for the nxnode program is node.cfg.

They are placed in the BaseDirectory/NX/etc directory:
/usr/NX/etc/server.cfg
/usr/NX/etc/node.cfg

The Default Configuration
NoMachine Terminal Server comes with a default configuration that is sufficient to grant a working setup for the majority of environments. NoMachine administrators can tune their installation at any moment and according to their specific needs by setting the related configuration keys. In some cases a restart of all NoMachine services will be required.

Edit the Configuration Files
NoMachine configuration files are text files made up of a number of key-value pairs. All the configuration files can be edited manually by a text editor, e.g. 'vi'.

Be sure to uncomment the configuration key (i.e., remove the '#' pre-pended to the key) to set a value different from the default.

When a configuration key supports an on/off status, set value to '0' to disable it and to '1' to enable it.

Make Changes to the Default Configuration Effective
Changes will be effective with the next new connection without the need to restart the server if not otherwise specified.

Installation and upgrade procedures take care of configuring and starting all the necessary services to make NoMachine Terminal Server ready to accept and serve users' requests for virtual desktops and custom sessions. The necessary services are configured to be restarted at each reboot of the host machine.

When you are sit in front of the computer where the Workstation is installed or you're connected there by NoMachine, you can switch off/on the ability to accept connections to your desktop via NoMachine. When you disable the sharing of your screen, nobody can connect.

You can configure this setting via the NoMachine Monitor menu (right click on the !M icon in the system tray to open it) by clicking on item "Accept connections".

This setting lasts until you change it again, even when you physically log-out from the system.

See also this tutorial for more details: https://www.nomachine.com/disabling-access-to-your-local-desktop

TIPS
I	Be careful if you decide to disable accepting connections when you are connected from remote: you will be no longer able to reconnect to the desktop via NoMachine once the current session is closed. In this case, you can recover the ability to connect via NoMachine by changing settings in the Monitor menu on the physical computer.
II	It's posible to hide the 'Accept connections' item from the !M menu by configuring the NoMachine node.cfg file on that computer and setting: EnableAcceptingConnections 0 Be sure to remove the pre-pending # from the key name.

All NoMachine services can be stopped via:

the UI
all NoMachine services can be stopped by the Server status UI ('Shutdown the server'). When doing so, you will be asked if services must be started at the next reboot or not. You can restart services also from the Server status UI ('Start the server').

or from command line.

Stopping all the NoMachine services

Starting NoMachine server and services

Specifying the start mode
It's possible to set the 'start mode' (if services will be started automatically at boot or not) by using:

Stopping and restarting NoMachine server and services

The NoMachine networks services available for NoMachine Terminal Server are nxd and nxhtd:

You can stop a single service:

via the UI
in the Settings -> Server -> Ports services panel. You can choose there also the start mode: if the service must be started automatically at the next boot or not.

or from command line.

Stopping a service

where SERVICE can be:
nxd, the Network Server for accepting connection by NX protocol
nxhtd, the NoMachine web server for web sessions

Starting or restarting a service

Specifying the start mode
By default each service is automatically restarted at the next boot. You can configure that on a per-service basis by running:

Commands above operate on the configuration keys listed below. You can change them manually in the server configuration.

For each session, NoMachine uses ports that are used only locally on the server host and network ports.

Some ports are mandatory and must be free, e.g. the session display number and the connection port. Other ports are used for services that can be disabled (e.g. USB forwarding, UDP communication).

It is possible to hide or show the !M (the Monitor) icon in the system tray. When the icon is hidden, notification messages will still be displayed when users are connecting. This can be configured:
from the UI:
In the Settings -> Server -> Security panel, check 'Hide the NoMachine icon in the system tray'. When the icon is hidden, notification messages will still be displayed when users are connecting.

or in the node configuration file
This setting is ruled by the DisplayMonitorIcon key in the node configuration file. If you change them manually by editing the file, you then need to restart the server to make changes effective.

To hide the !M in the system tray set:
DisplayMonitorIcon 0

To display the !M in the system tray set:
DisplayMonitorIcon 1

In both cases, then restart the server:

By default NoMachine issues a balloon message to notify about events like user disconnection or user requests for connecting. You can disable notification messages by setting the following key in the node configuration:
DisplayMonitorNotifications 0

TIP

If the displaying of monitor notification messages is disabled, the desktop owner will be unable to accept connection requests by other users. Configure trusted users if you need to permit the connection without explicit authorization.

If you want to disable opening the Whiteboard from the Monitor menu, edit the node configuration file to have:
EnableWhiteboard 0

Then restart the server:

By default NoMachine Terminal Server broadcasts information to let other NoMachine computers to discover it on the local network. You can disable this feature via:
the UI
In the Settings -> Server > Ports panel, uncheck 'Advertise this computer on the local network'.

or in the server configuration file
set the following key in the server configuration:

EnableNetworkBroadcast 0

Then restart the server to make changes effective:

NoMachine provides an instant messaging tool, named whiteboard which allows drawing, the sharing of files with connected users and fast-track access to file transfer. To access it, connect to the user's desktop and from the Monitor (!M icon) in your system tray click on 'Show the whiteboard'. Note that if multiple users are connected at the same time to the same session, they will all see the message.

As an alternative, it's possible to issue a dialog in the connected sessions to show a custom message by sending it from command line.

Sending a message to all running sessions:

It is possible to welcome users when the when the virtual desktop is started by issuing a greeting message, either when the first time the user logs-in or every time the user connects to the Terminal Server. Update the node configuration file by writing the text of your message in any of the following keys:

NodeFirstLoginGreeting "Welcome to your first NX session"
NodeLoginGreeting "Welcome to your NoMachine session"

NoMachine
connections by default use the NX protocol which is its own protocol for secure communication over the network. Encryption in the NX protocol is implemented using OpenSSL TLS/SSL, based on ECDHE-RSA-AES128-GCM-SHA256 as the default cipher suite. ECDHE-RSA-AES128-GCM-SHA256 is an AES (Advanced Encryption Standard) block cipher with 128 bits key in GCM (Galois/Counter Mode). RC4 (ECDHE-RSA-RC4-SHA cipher suite) is used as a backward compatibility when connecting from or to version 4.0.

When using the NX protocol, NX data can travel on TCP and UDP streams, even at the same time. The client and server can decide dynamically what transport to use, based on the type of data and the network conditions. Client and server negotiate the UDP transport at session startup, after having negotiated the main TCP link. UDP uses symmetric Blowfish encryption, with key negotiated on the secure TCP link. UDP is presently not available when using the SSH tunneling, to ensure that all data goes through the same SSH link, as it was in legacy version 3. UDP protocol can be also disabled.

SSH Protocol
NoMachine Terminal Server also provides tunneling of connections using SSH and full integration with any authentication backend supported by the host SSH server.

Authentication methods
These are the authentication methods supported by NoMachine when connections use the NX protocol or the SSH protocol:

Protocols are defined in the ClientConnectionMethods key in the server configuration. They are specified as a comma-separated list of values:

ClientConnectionMethods NX,SSH,HTTP

This key is automatically populated during the installation or the update of the package. It is possible to exclude any of the available protocols to force users to connect by the desired protocol.

For example, to use only NX protocol, set this key to:
ClientConnectionMethods NX

and restart the server to make changes effective:

TIPS
I	If your server supports SSH but it still reports that SSH is not available, check the ClientConnectionMethods key and ensure that the SSH values is set. Then restart the server.
II	Removing 'HTTP' from the ClientConnectionMethods key will disable the starting of the NoMachine HTTP server and prevent connections via web.

Administrators may decide how the user should authenticate on the server by defining which authentication method(s) is/are available. Authentication methods can be set in the server configuration file by editing this key:

AcceptedAuthenticationMethods all

By default all methods are accepted. They can be restricted by providing a comma-separated list of values, they will indicate which authentication method is permitted.

Accepted values for connections by NX protocol are:
NX-password to allow password authentication.
NX-private-key to allow key-based authentication.
NX-kerberos to allow Kerberos ticket-based authentication.

while for connections by SSH protocol:
SSH-system to allow all methods supported for the system login. SSH authentication methods for the system login have to be set on the system for example in the PAM configuration.

For example, to accept key-based and Kerberos ticket-based authentication for the NX protocol:

AcceptedAuthenticationMethods NX-private-key, NX-kerberos

Settings in the client UI
Users can select the authentication method in their connection settings from the NoMachine UI: right mouse click on the connection to open Edit connection -> Configuration.

Protocol and authentication methods can be set when creating a new connection via the client UI:

or changed later by modifying the connection settings (right mouse click on the connection icon in the client UI to edit it).

The default setting of NoMachine is to run connections via the NX protocol on port 4000. On the server side, the Network Server, nxd, is listening on port 4000. It's mandatory that this port is open between client and server to allow connections by the NX protocol.

If you change the listen port for nxd, connecting users will have to specify the new value in their connection settings in the client UI.

It's possible to modify the port for nxd
from the UI
in the Server status -> Server preferences -> Network services UI

or in the server configuration file by editing this key:
NXPort 4000

Restaring the nxd service is necessary to make this change effective:

When NX protocol is used, UDP communication for multimedia is enabled by default. UDP traffic uses a range of ports between 4011 and 4999. These ports must be open between client and server. If they are not available, traffic will fall back to TCP communication. You can change port range, define a comma-separated list of ports or a single port by changing value set for the following key in the server configuration:
UDPPort 4011-4999

Users can disable UDP in their connection settings from the NoMachine UI in the Advanced panel for the NX protocol settings.

The default port used for the SSH protocol is 22 on Linux. On Linux NoMachine relies on the SSH server installed on the system. If your SSHD is configured to listen on a port different from 22 you need to align the NoMachine server configuration accordingly. Connecting users will have to specify such value in their connection settings in the client UI.

If your SSH server is listening on a port different than 22, change the SSH port in the NoMachine configuration

in the Server status -> Server preferences -> Network services UI

or in the server configuration file by editing this key:
SSHDPort 22

Automatic discovery of the NoMachine Terminal Server host is possible only when the server and the user's machine are on the same LAN. When the user connects over the internet or from a different network, it's mandatory to know the public (or external) IP of the Terminal Server.

When the server is behind a firewall, you have to configure the router to forward external port to the nxd service (to use the NX connection protocol), to the SSH server (to use the SSH protocol) and to the nxhtd service (to connect by the web). By default the required ports are TCP ports: 4000 for NX, 4080 and 4443 for HTTP/HTTPS and UDP ports in the 4011-4999 range. Note that users will have to specify the external port in their connection settings in the client UI.

If the router on the server side supports UPnP/NAT-PMP, you can let NoMachine try to enable port forwarding in the router automatically. External ports will be selected randomly from the 20000 - 30000 range. Also in this case users will have to specify the external port in their connection settings in the client UI.

For connections by NX protocol, at session startup NoMachine will also try to map UDP ports by using UPnP.

Enabling the automatic port forwarding
Step 1: Set in the server configuration:
EnableFirewallConfiguration 1

Step 2: Specify for which service the port forwarding must be enabled by listing them in the following key:
EnableUPnP NX,SSH,HTTP

Step 3: Specify the port where the NX service will be redirected by editing respectively:
NXUPnPPort ""; SSHDUPnPPort "" and HTTPUPnPPort ""

TIP

To permit only connections by SSH (on external port 20048 for example) and use the automatic port forwarding, set in the server configuration: ClientConnectionMethods SSH EnableFirewallConfiguration 1 EnableUPnP SSH SSHDUPnPPort "20048" and restart the server.

You can enable port forwarding for connections by NX and HTTP/HTTPS protocol also from the UI
via the Server preferences -> Network services UI by selecting the service and enter its settings (click on 'Configure'). Then check the Gateway port option.

Retrieving information about UPnP port mapping
When automatic port mapping is enabled, you can retrieve information about UPnP port mapping, e.g. IP of the gateway device, external port and port mapped by running:

Use of NoMachine DBs can be configured by editing the server configuration. The table below reports which configuration key value has to be set to enable or disable specific behavior as defined in the 'Target' field:

You can manage (create, delete and modify) user accounts by using tools provided by your Operating System or the NoMachine server commands as explained below.

Creating Accounts
The Terminal Server is able to handle two types of accounts: system accounts and NoMachine accounts. The latter can separate the system password from the NoMachine password.

Creating a System Account
The system account will be created with the default system settings. The new user will be also added to the NoMachine Users DB:

Creating a NoMachine Account
Use this command when the user already has a system account:

TIPS
I	To assign a password different from system password to a system user, enable NoMachine Password DB ( EnablePasswordDB 1) in server.cfg.
II	To verify if the user authentication is based or not on NoMachine Password DB:
nxserver --userauth USERNAME
III	If this Terminal Server is federated under a Cloud Server, each user must have the same system account on the Cloud Server host and on this Terminal Server. Password can be different.

Enabling and Disabling access for a NoMachine User
Prerequisites are:

i)The user has run at least one session or has been added to NoMachine dbs by means of 'nxserver --useradd' command.

ii) NoMachine Users DB is enabled (EnableUserDB 1 is set in server.cfg)

You can enable/disable a user and allow/forbid his access to the Terminal Server by running:

Modifying the User Password
You can modify user's system password by running:

Listing the NoMachine Users
All users who have run at least one session or have been added to NoMachine dbs are stored in the Users db. You can retrieve the complete list by running:

The output of this command provides the following fields:
Redirected to: IP/hostname of the server to which the user's connection is redirected (by means of the 'nxserver --redirect' command when supported).
Trusted for: it shows if the user is trusted.
Screen Sharing: it shows which user has the sharing of their physical screen disabled.
Access: it shows if the user is enabled or not to access the NoMachine system. This works in conjuction with the use of the NoMachine Users DB: when enabled (EnableUserDB 1 in the server configuration), it's possible to enable/disable user access to the whole NoMachine system.
Forwarded to: this field is applicable only when the server is a NoMachine Cloud Server, so it's always empty in case of Terminal Server.

Removing Accounts
To remove an account from the system:

NoMachine Terminal Server supports the creation of groups of users with the possibility to set attributes (e.g. the trusted flag) to the group or create profiles rules which apply to all users belonging to the given group (e.g. disable the possibility to print and share disk).

Creating a new group and manage groups' users

Setting the 'trusted' flag to the group
The 'trusted' flag can be specified when creating the group, or later by editing the group. To create or make a group trusted for connections to virtual desktops:

Making the group trusted for specific users' desktops
You can assign the 'trusted' flag and make the group (and all users belongin to that group) trusted only for those desktops owned by a specific user or list of users. For example, if a new group (groupB) should be created and made trusted only for desktop of userA:

Setting profile rules for a group
In order to set a profile rule on a per-group basis, it's necessary to specify the '--group GROUP' option when adding the rule. See the chapter dedicated to Profiles for more information about the available rules. The general format of the command is:

Setting the group's priority level

When the same user belongs to multiple groups, the most permissive settings among those configured for such groups apply to the user. It's however possible to assign a priority level to each group. This can be done when creating the group or by editing the group settings. PRIORITY is an integer positive number, for example:

The automatic generation of guest accounts is not enabled by default and must be activated via profile rules. If enabled, the server generates a new system account on demand when the user connects with the 'Login using a guest account' UI option.

In case of web sessions, set the following key if you need that users connect by the web always as guest users:
EnableWebGuest 1

When this key is enabled, users will have the possibility to choose if log-in with their credentials or as a guest.

Policies to create guest accounts, keep them alive and others can be set by editing the NoMachine server configuration file

It is also possible to define a set of profile rules on a per-guest basis only. Such rules will not apply to other users.

Enabling the automatic generation of guest accounts
Use the following command to create the profile rule for enabling guests on the server:

Then edit the following key in the server configuration:
GuestUserGroup ""
to set the Group Identifier (GID) for NoMachine guest users. The specified GID must already exist on the system.

To enable the login as guest also via web, then set in the server configuration
EnableWebGuest 1

Configuring Guest Accounts (advanced)
The server creates guest accounts by adding a progressive number as a postfix to the base guest name. The range used for incrementing the postfix varies from a minimum and a maximum value. Base name and range for the postfix are configurable:
GuestName guest
BaseGuestUserId 10
GuestUserIdLimit 200

By default the server creates the guest users' homes in the /home directory. To define a different place, edit: GuestUserHome /home

A guest account remains valid for 30 days, but you can set a different time of expiry:
GuestUserAccountExpiry 2592000 (This value has to be set in seconds)

A further configuration key define the maximum number of sessions a guest can run on this server before the account expires (by default 5):
GuestUserConnectionLimit 5

The following key defines for how long (in seconds) a guest can run the session before the account expires. By default the guest session is never terminated (the key is set to 0):
GuestConnectionExpiry 0

When the account expires, the server by default doesn't remove the guest's home. To remove also guest's home, set:
EnableGuestWipeout 1

Guest users can disconnect their virtual desktops and reconnect them later. To disabled the possibility to reconnect the session and force the session to be terminated when the guest user close it, set:
GuestUserAllowSuspend 0

To limit the number of concurrent guests on this server (by default 10), use:
GuestUserLimit 10

Additionally, it's also possible to allow the server to set disk quota for guests by setting:
EnableGuestQuota 0
and configuring the following keys according to your needs:
GuestQuotaProtoname protoguest
GuestQuotaInodeSoftlimit 0
GuestQuotaInodeHardlimit 0
GuestQuotaBlockSoftlimit 0
GuestQuotaBlockHardlimit 0
GuestQuotaInodeGracePeriod 0
GuestQuotaBlockGracePeriod 0
GuestQuotaFilesystems all

Listing or Removing Guests To retrieve information about the existing guest accounts, including their time of expiry, use:

TIP

Guest users don't know their username and password and cannot therefore unlock the remote screen if screen locking it's enabled. Be sure to disable screen locking if you want to let guest users connect to the remote desktop.

By default, NoMachine allows the running of sessions as privileged system user ('root' or 'sudo' on Linux). You can however configure the NoMachine Server to disallow it. Do it by disabling the following server configuration key:

EnableAdministratorLogin 0

To re-enable the possibility to log in as root or administrator, set:

EnableAdministratorLogin 1

By default when the connecting user is different from the owner of the virtual desktop, the desktop owner has to authorize the user for the connection.

It is possible to define in advance a number of trusted users who don't need the specific owner's permission to connect to virtual desktops un by a different user.

In order to create a list of trusted users, administrators should use the nxserver commands for creating and editing users. These commands provide the --trusted option to define if the user is trusted for connections to the virtual desktop or not.

To create on the system a new trusted user for virtual desktops:

In a similar way, you can make a user trusted for virtual desktops and for connections to the physical desktop or for connections to the physical desktop only:

To make a user trusted for specific users' desktops
You can assign the 'trusted' flag and make the user trusted only for those desktops owned by a specific user or list of users. For example, if a new user (userB) should be created on the system and made trusted only for desktops of userA:

To list only trusted users:

Each session on the same server is uniquely identified by a session id (which can look like: B253864E822F5A235825F3AB8853AF00) and a display id (e.g.,1002).

A session on the NoMachine Terminal Server can be in any of the following statuses:
Connected - when it's connected to the remote display.
Disconnected - this status is available only for virtual desktop sessions and custom sessions. A session is marked as disconnected when it's disconnected from the remote display. A disconnected session can be reconnected at any time even from a different machine (migration). While a session is disconnected, applications on the remote server stay running. Finished - the session has been closed in a clean way and all NoMachine processes have been shut-down smoothly.
Failed - any of the NoMachine processes has failed to start or it has been "un-cleanly" terminated.
Transitional statuses are Connecting, Disconnecting and Terminating.

NoMachine Terminal Server is able to manage different types of sessions, named internally as in the table below. You can see the complete list of supported session types by running:

Session types supported by the Terminal Server and their descriptions are:

You can monitor sessions from command line tools. Below are the server commands to be run from xterm or console.

Listing Running Sessions
To list all the running sessions, their display, session owner, remote IP of the connected client, session ID and session host:

The number of active connections on the server corresponds to the number of sessions in status Connected. Session status is shown in the output of session history command.

Session History
History is preserved for a certain amount of time as set in the server configuration (SessionHistory key). To see the complete list of sessions, including those that have been cleanly terminated or failed, run:

Debugging a Failed Session with Session History
If a session is marked as failed in the session history output, the following command should provide information about the reason of the failure. The output of the following commands has been extended to provide a short report helpful for a preliminary debug of the problem:

Retrieving Statistics about Sessions with Session History
This feature elaborates a number of information about sessions, contained in the current session history. For example the number of sessions started, terminated, running and failed and their average startup time. The command to retrieve statistics is:

Clearing Sessions History
You can reset the history backlog by running the following command.

Configuring the Session History Backlog
Data is preserved for 30 days. You can modify that in the server configuration file by uncommenting and setting a different value for the following key:
SessionHistory 2592000

This key accepts the following values:
< 0 Never delete data from NX session history.
0 Disable NX session history.
> 0 Keep data in session history for this amount of seconds.

Disconnecting a Virtual Desktop Session from Command Line
You can disconnect a session, if it's a virtual desktop one, by running:

TIP

Take SESSIONID or DISPLAYID from the output of the 'nxserver --list' command, they are the 'Session ID' and 'Display' column respectively. The same output shows also the user's name.

Disconnecting or Terminating Virtual Desktops Automatically
To disconnect a virtual desktop or custom sessions after a certain time of inactivity, uncomment and set a proper timeout value, in seconds, in the following node configuration key. For example, if you want to terminate sessions after 10 minutes of inactivity you need to set:
DisplayServerExtraOptions "-timeout 600"

If the NoMachine display agent doesn't receive any input from the user in the given timeout, it will either disconnect or terminate the session. Termination of the session will be carried out if the session is not persistent or no X application is connected to the display. Otherwise the agent will disconnect the session so that the X applications will be left running.

Note that the DisplayServerExtraOptions key is only for virtual desktops or custom sessions with X11 vector graphics enabled (default).

For web sessions, sessions connected to a virtual desktop (sharing of the virtual desktop), virtual desktops with X11 vector graphics disabled and connections to the physical desktop, set instead:
DisplayAgentExtraOptions "-timeout 600"

Terminating the Session from Command Line
To terminate a virtual desktop or custom session:

Terminating Automatically Virtual Desktop/Custom Sessions in Status Disconnected
It's possible to specify for how long the server has to keep alive virtual desktops in the disconnected status. When the time has expired, the server will terminate virtual desktops if no user is connected there. To let the server terminate a disconnected virtual desktop after XXX seconds, edit the server configuration file, uncomment and set the timeout value (XXX) expressed in seconds in the following key:
DisconnectedSessionExpiry XXX

For example, by setting:
DisconnectedSessionExpiry 600
a virtual desktop will terminate after ten minutes provided there is no activity.

Terminating Automatically Virtual Desktop/Custom Sessions when the Maximum Number is Reached
To terminate a disconnected session when the maximum number of virtual desktops (see 'Limiting the Number of Virtual Desktops' below) is reached and make room for a new virtual desktop or custom session, enable the following key in the server.cfg file:
EnableAutokillSessions 1

Limiting the Number of Virtual Desktops or Custom sessions
You can set a limit for the number of virtual desktops provided that such limit does not exceed the number of connections allowed by the server license value (it's the 'Virtual Desktops' field in the server.lic file). NoMachine Terminal Server allows unlimited virtual desktops.

For example to configure the server to allow only two concurrent virtual desktops, edit the server configuration and set:
VirtualDesktopsLimit 2

You can also specify how many virtual desktops a single user may run. For example, to allow 1 connection per-user, uncomment and set the following key in the server configuration file:
VirtualDesktopsUserLimit 1

A Practical Example
Limit the number of virtual desktops to three and keep alive a virtual desktop (inactive & disconnected) for one day. If a new virtual desktop is requested, the server will terminate the oldest virtual desktop in status disconnected to make room for the new session.
VirtualDesktopsLimit 3
EnableAutokillSessions 1
DisconnectedSessionExpiry 86400

Automatic Disconnection of Users
The automatic disconnection is a server configuration to rule the server behavior when the limit of users is exceeded and a new user is requesting to connect.
Current options are:
enabled (1): the server will automatically disconnect the user to make room for the new user.
disabled (0): the server will issue a pop-up message before disconnecting the user. The current user can accept or not to
disconnect itself. If no choice is made, the server will automatically disconnect this user and let the incoming user to connect.

The automatic disconnection applies when the maximum number of available connections to the desktops or the maximum number of available virtual desktops is exceeded.

To enable the automatic disconnection set the following key in the server.cfg file:
AutomaticDisconnection 1

To let the connected user decide or refuse to disconnect, set:
AutomaticDisconnection 0

Disabling persistent virtual desktops
Users can be forced to terminate their virtual desktop session by setting in the server configuration:
DisablePersistentSession all

In this way when the user closes the virtual desktop, the session is terminated instead of being disconnected. This server configuration key also accepts a list of comma-separated usernames and will be applied to the specified users. Non persistent sessions cannot be reconnected.

Pre-requisite to connect by NoMachine is that a desktop environment is installed on the system even if the host is headless or not started in graphics mode.

By default when the user chooses to create a new virtual desktop, NoMachine runs the default X session set on the system.

During its installation, NoMachine detects the default desktop environment set on the system and configures the node accordingly. Path and command to start the system desktop environment is defined in node.cfg by the DefaultDesktopCommand key. The Workstation is able to detect GNOME, Unity, KDE, LXDE and Xfce. If you have a different desktop environment, you can edit the DefaultDesktopCommand key accordingly.

For example to run MATE:
DefaultDesktopCommand "/usr/bin/mate-session"

or to run Pantheon:
DefaultDesktopCommand "/usr/bin/gnome-session --session=pantheon"

If there are multiple desktop environments installed, you can configure NoMachine to provide users the list of all the available desktops. To do that, set xsessions=1 in the ConnectPolicy key in the server configuration (server.cfg). By default this is disabled (xsession=0). To enable it, set:
ConnectPolicy autocreate=1,autoconnect=1,automigrate=1,desktop=0,dialog=0,xsessions=1,udp=1

If there are GNOME and KDE installed, and/or if you want to provide XDM desktops, you can set desktop=1 in the ConnectPolicy key above.

To run GNOME and/or KDE, specify the command in the corresponding keys in node.cfg, for example
CommandStartGnome "/etc/X11/Xsession 'gnome-session --session=gnome'"
CommandStartKDE "/etc/X11/Xsession startkde"

Terminating a virtual desktop session is done at the system level of the Small Business Server host. For example, if you are running a virtual desktop session (Gnome), you terminate the session by choosing the logout option from Gnome's system menu.

Disconnecting the session is done by clicking the 'X' button in the upper corner of the window. Alternatively, you can disconnect via the NoMachine session menu panel (Ctrl-Alt-0 -> Connection -> Disconnect).

To facilitate users, it's possible to display a dialog to let the user decide whether to disconnect or terminate the virtual desktop session when clicking on the X button which closes the session window.

The Disconnect/Terminate dialog is available for:

To enable the Disconnect/Terminate dialog, enable the 'dialog' option (i.e. set dialog=1) in the ConnectPolicy key in server.cfg:
ConnectPolicy autocreate=1,autoconnect=1,automigrate=1,desktop=0,dialog=1,xsessions=0,udp=1

RDP sessions are encapsulated inside a virtual desktop session and they use the RDP client. So, prerequisite is that this RDP client (by default rdesktop) is installed on the Terminal Server host, i.e. where the NoMachine RDP virtual desktop will be run.

Note that behaviour of RDP sessions is strictly related to features supported by the RDP client. For example, running a Windows application as a single application is possible only if the version of the RDP client supports it.

Support for RDP sessions is not enabled by default in NoMachine Terminal Server. To enable it, please follow instructions at: https://www.nomachine.com/AR07J00645

VNC sessions are encapsulated inside a virtual desktop session and they use the VNC client. So, prerequisite is that this VNC client (by default vncviewer) is installed on the Terminal Server host, i.e. where the NoMachine VNC virtual desktop will be run.

Note that behaviour of VNC sessions is strictly related to features supported by the VNC client.

Support for VNC sessions is not enabled by default in NoMachine Terminal Server. To enable it, please follow instructions at: https://www.nomachine.com/AR10K00720

The server configuration provides a number of keys that can be activated to execute a custom script upon a certain event. According to the event, a number of parameters can be specified for each script. In a similar way, a number of keys is present in the node configuration file to allow a custom script to be executed on a certain NoMachine node event. In both cases and according to the event, a number of parameters can be specified for each script.

(*) 'main session id' and 'main session type' parameters are available only when the user connects to an already running virtual desktop (session shadowing). They indicate respectively the id and type of the session to which the user is connected with his/her own session qualified by 'session id' and 'session type'.

A further key in the node configuration file, allows to run a custom script triggered on change resolution events (resize of the remote screen). The related key is: UserScriptAfterRemoteResize

Note that the order of parameters is relevant. For example, a custom script to be run on node event 'UserScriptBeforeSessionStart' should use the $2 variable to retrieve username and $4 to retrieve display.

Pre-requisites to run custom scripts
Custom scripts must be executable. Custom scripts set-up in server.cfg are common to all the users who are accessing the server and are executed by the nxserver program. Since nxserver is running as the nx user, you have to grant this user the necessary permissions in order to execute the custom script.

Custom scripts set-up in node.cfg are executed by the nxnode program, which is run as the connected user. Place the script in a directory that is accessible by the node, i.e. accessible by the connected user(s).

By default if the execution of the scripts fails, the nxserver and nxnode will terminate. This means that the user's session will not start. You can override this behavior by forcing exit 0 inside the custom script and let the session start even if the custom script is failed.

TIP

If NoMachine Terminal Server is federated under a Cloud Server consider that custom scripts have to be placed in server.cfg or node.cfg file on the Terminal Server host, not on the Cloud Server.

Multiple connections to a virtual desktop
By default users can connect to their virtual desktops and to virtual desktops owned by other users. When the desktop owner is different from the connecting user, he/she is always required to authorize the incoming request for connection. Authorization is not requested when the incoming user and the desktop owner are the same. This allows different users sharing the same instance of the virtual desktop and access all applications and resources interactively or in view-mode only. This feature is suitable for collaborative sessions and desktop sharing.

Request for desktop owner's authorization and interaction level can be configured
via the UI
You can configure how users will connect to a desktop owned by another user from Settings -> Server > Security panel. You can basically determine if users can connect or not without asking the desktop owner's permission and if users will be able to interact with the desktop. Allowing connections in interactive mode grants the user full access to the desktop resources and applications. View-only mode is suggested for example when making presentations or teaching a lesson.

or in the server configuration file
besides using the graphical tools, you can configure the server by editing the server configuration file, uncommenting and setting a proper value for keys as illustrated in the following paragraphs.

TIPS
I	Configurations made from the UI apply to connections to physical and virtual desktops. If you want to set a separate configuration for these desktops, you have to edit the server configuration manually.
II	Rather than allow all users to connect without virtual desktop's owner authorization or click accept for every single user which would like to connect, it is possible to define in advance a number of trusted users who don't need the specific owner's permission.
III	When the Terminal Server is federated under a Cloud Server, each user must have the same system account on the Terminal Server host and on the Cloud Server host. Password can be different.

Connect to the physical desktop

NoMachine Terminal Server supports the screen blanking feature: when active, the local user will see a black screen on the physical monitor while somebody is connected from remote to the physical desktop. Operations made on the physical screen are not shown and the local user cannot interact with the desktop until the remote user logs-out. Control is given back to the local user once the remote user has logged off. Screen blanking is available for physical hosts, it is not supported on virtual machines since it has effect on the physical monitor.

You can activate the screen blanking feature on the Terminal Server host machine
via the UI:
in the Settings -> Server-> Security panel select the 'Blank the physical screen when somebody connects' option

or in the server configuration file.
Uncomment and set:
EnableScreenBlanking 1

To disable the screen blanking, set:
EnableScreenBlanking 0

In both cases then restart the server to make this change effective:

The screen blanking feature can be used in conjunction with the automatic lock of the remote screen. Even if the user didn't lock the screen before disconnecting by NoMachine, as soon as the screen is unblanked, the system lock screen will be activated automatically to keep the remote desktop protected even when the computer is running unattended.

You can enable the automatic remote screen lock from the UI:
in the Settings -> Server -> Security panel select the 'Lock the physical screen on disconnect' option

or in the server configuration file, server.cfg.
Uncomment and set the following key:
EnableLockScreen 1

To disable the automatic screen lock, set:
EnableLockScreen 0

Then restart the server to make this change effective:

By default users can connect to virtual desktop sessions owned by a different user. To forbid this capability, set in the server configuration file:
VirtualDesktopSharing 0

TIP

This setting also disables the listing of other users' virtual sessions in the client UI.

To forbid users to interact with the desktop once connected set in the server configuration:
VirtualDesktopMode 0

In this way, the connected user will access the virtual desktop in view-only mode.

To allow interaction instead, ensure to have:
VirtualDesktopMode 2

It's also possible to allow users to interact with the desktop, except for resize operations. This corresponds to:
VirtualDesktopMode 1

By default, only system administrators, NoMachine administrators and NoMachine trusted users can connect to another user's virtual desktop without the explicit authorization of the desktop owner. This corresponds to the following setting in server.cfg:
VirtualDesktopAuthorization 1

To restrict access further, so that only NoMachine trusted users can connect without the desktop owner's authorization, set:
VirtualDesktopAuthorization 2

To allow users connecting to the virtual desktop without explicit permissions, set:
VirtualDesktopAuthorization 0

Settings above apply to all users.

TIP

To restrict the access without owner's authorization to given users, set: VirtualDesktopAuthorization 2 in the server configuration and assign the 'trusted for virtual' flag to the user:

/etc/NX/nxserver --useredit USERNAME --trusted virtual

By default, connections to the physical desktop are enabled and require the desktop owner's permissions (if the connecting user is different from the desktop owner).

Users trusted for physical desktop, system administrators and NoMachine administrators will be able to connect without the need for the desktop owner's approval.

Limit connections to the physical desktop
Connections to the physical desktop can be fully disabled by setting in the server.cfg file:
PhysicalDesktopSharing 0

It's possible to limit connections to the physical desktop to special users (system administrators, NoMachine administrators, trusted users and the desktop owner). They by default can connect without authorization, even when the server is configured to request it. This configuration can be helpful for example when the computer run unattended. Set:
PhysicalDesktopSharing 2

To allow all users connect to the physical desktop, set:
PhysicalDesktopSharing 1

Limit user's interaction with the physical desktop
To forbid users to interact with the desktop once connected set in the server configuration:
PhysicalDesktopMode 0

In this way, the connected user will access the physical desktop in view-only mode.

To allow interaction instead, ensure to have:
PhysicalDesktopMode 1

Enable or disable requesting the desktop owner's authorization
To request for the explicit authorization of the desktop owner before connecting the user, set in the server configuration:
PhysicalDesktopAuthorization 1

System administrators, NoMachine administrators, trusted users and the desktop owner will be still able to connect without authorization.

Since v. 6.4, it's possible to request the owner's authorization also for administrators. To configure this, set:
PhysicalDesktopAuthorization 2

System administrators
A privileged system user has to be defined by means of system tools.

The Terminal Server allows by default administrative users to connect. You can disable it by setting in the server configuration:
EnableAdministratorLogin 0

To re-enable the possibility to log in as root or administrator, set:
EnableAdministratorLogin 1

NoMachine administrators
Permissions as NoMachine administrator are totally indipendent from system privileges and apply only to NoMachine. A NoMachine administrator, for example, can create a NoMachine infrastructure by adding server hosts to a central server. To create a new user on the system with NoMachine administrative permissions, execute:

NoMachine trusted users
To allow a restricted number of users to connect to the physical desktop without explicit authorization, assign the 'trusted' flag to a new system user. They don't have further privileges, neither on the system nor in NoMachine. To create a new user on the system trusted for NoMachine physical desktops, execute:

User's ability to disable accepting connections to the physical desktop
By default, the owner of the physical desktop, either sitting in front of the computer or connected to the physical desktop via NoMachine, has the possibility to switch off/on the sharing of the screen at any moment.

This can be done via the NoMachine Monitor (click on the !M icon in the system tray to open it) and the 'Accepting connection is enabled/disabled' item in the menu.

When 'Accepting connection' is disabled, nobody can connect to that desktop by NoMachine. This setting lasts until the desktop owner changes it again. It persists also when the user is physically logged out or closed the NoMachine connection. It's therefore strongly advisable to be very careful when disabling accepting connections from remote, since it will be no longer possible to reconnect to the desktop via NoMachine once the current session is closed.

As administrator, you can override user's settings and forcibly enable or disable the screen sharing for the given user. The user, however, will be still able to change it from the !M Monitor menu:

The Terminal Server permits users to access and share their devices and resources from local to remote and vice-versa. Disks, printers, USB devices and more can be connected inside the session to easily access them from both client and server side. At present device sharing is not available with web sessions and requires to connect by NoMachine client.

Two-way copy and paste is fully supported. Web sessions implements the NoMachine virtual clipboard provides for copying text from/to the session running in the browser and the local computer.

Download/upload files from the session to the local computer and vice-versa is also fully supported in client and web sessions, as well as drag and drop of a file from remote to local and from local to remote.

By default device sharing, copy&paste and file transfer are always permitted. You can however completely disable any of these services or disable it only partially, for example to prevent users from sharing their local printer in the NoMachine session but permitting them to use the remote printer.

NoMachine implements a self-contained infrastructure for making available physical and logical devices over the network from local to remote or vice-versa.

The NoMachine infrastructure for device sharing ensures that all services work out of the box without the need for any additional change or configuration. It is possible to connect disks, printers, USB devices, network port and smartcards.

Connecting devices is supported only by NoMachine client (web sessions don't support that). Devices can be connected through the NoMachine menu within the session (ctrl+alt+0 to open it). Connected devices can be disconnected during the life of the session and reconnected later. If option 'Export this deviceName at session startup' is checked in the menu panel, this device is automatically reconnected at the next session start-up.

Disabling device sharing
You can disable selectively the possibility to share a device

from the UI
in the Settings -> Server -> Devices panel

or in the node configuration file
by editing the corresponding keys. Manual configuration also allows the service to be limited to one-way, for example forbid to connect a local printer to remote. The next paragraphs deal with manual node configurations in detail.

The available devices are:

NoMachine allows access to local and remote file systems from within the session through the SSHFS file-sharing protocol and by means of FUSE, a technology to implement a fully functional filesystem in a userspace program.

Connected folders and disks can be disconnected during the life of the session or left as they are.

By default, all disks from the server are available to be connected to the end-user's machine. However you can specify a set of disks and folders by editing a proper value for the DiskSharingList key in the node configuration file. The default value is: all. Alternatively, you can specify a list of comma-separated directories. Note that $(HOME) and $(USER) are accepted values.

Disks from the end-user's machine can be connected on the server in 'Public' or 'Private' mode.

Connecting public disks
Disks from the end-user's machine can be connected on the server in 'Public' or 'Private' mode.
By default public disks are exported from player to "$(PUBLIC)" directory on the server, where $(PUBLIC) is: /media on Linux.

You can specify a different path by un-commenting and editing the DiskSharingPublicBasePath key in the node configuration file.
Note that $(USER) is an accepted value that can be also concatenated to specify the path to a directory, for example "/tmp/$(USER)".

The target directory must exist on the system!

Disabling Disks' Connection
To forbid disk and filesystem sharing, uncomment and set a proper value for the EnableDiskSharing key in the node configuration file:
client The filesystem on the client can be connected to server side and accessed from the session.
server The filesystem on the server can be connected to the end-user's machine and accessed through the whole life of the session.
both Client and server filesystem can be connected to remote and local sides respectively.
none Neither client or server filesystem can be connected.

For example, to forbid connecting disks from remote to local side, set in the node configuration:
EnableDiskSharing client

The printers sharing infrastructure integrates client-side printers with the server-side printing subsystem and vice-versa. Printers available on the client machine can be shared and used within the session as well as printers on the server side which can be made available on the end-user's machine.

Connected printers can be disconnected during the life of the session or left as they are. In this case, they are automatically shared at the next session start-up.

On Linux this service uses the CUPS infrastructure present on the system. With CUPS 1.4 or later, to ensure that users are able to connect a printer from local to their NoMachine session on Linux , it's necessary that the user already belongs to the CUPS System Group on the NoMachine server host. That's because, to add a printer to the CUPS system, the 'lpadmin' command line tool has to be executed by a user who belongs to the CUPS System Group, which can be for example 'lpadmin' on Ubuntu, 'sys' on Fedora, RHEL and CentOS distributions.

Disabling Printers' Connection
To forbid printer sharing it is necessary to uncomment and set a proper value for the EnablePrinterSharing key in the node configuration file:
client Printers on the client can be connected to server side and made available within the session.
server Printers on the server can be connected to the end-user's machine.
both Client and server printers can be connected to remote and local sides respectively.
none Neither client or server printers can be connected.

For example, to forbid a server-side printer to be connected to the end-user machine, set in the node configuration:
EnablePrinterSharing client

This service creates a USB tunnel between client and server to forward devices over the network such as hard disk, web cams, barcode readers, and pen drives from local to remote desktops and vice-versa.

Disabling USB Forwarding
To forbid USB device sharing it is necessary to uncomment and set a proper value for the EnableUSBSharing key in the node configuration file:
client USB devices on the client can be forwarded to server side and made available within the session.
server USB devices on the server can be connected to the end-user's machine.
both Client and server USB devices can be connected to remote and local sides respectively.
none Neither client or server USB devices can be connected.

For example, to avoid that users can forward a USB devices from the server to its own machine, set in the node configuration:
EnableUSBSharing client

NoMachine can create virtual network interfaces and establish a bridge between local and remote sides or vice-versa to provide transparent access to network resources.

This service allows access to any of the default network servers like Samba, CUPS, FTP, SSH and Telnet or any other type, for example a MySQL server.

Connecting a Samba server allows access to resources on that server host via the SMB/CIFS protocol. Connecting a local CUPS server to the remote side allows mounting of printers (local to the user) on that remote CUPS subsystem so that files can be printed on the remote side via the IPP protocol.

Some typical examples of usage:
Print to remote printers from the session
If you have a Linux or Mac machine you can add the local CUPS server via the player toolbar. Choose to add a local server and select CUPS. In this way all printers that are available on your side will be available also on the server and you can print all your documents via the native CUPS (IPP) protocol.

Access a remote host not in your Network Neighborhood
If the remote host has a Samba server, you can add it via the player toolbar. Choose to add a remote server and select Samba as server type. Once that Samba server is added, the remote host shows up in your local Network Neighborhood. You can then connect to remote folders via SMB/CIFS protocol as if that host was in your local network.

Make available a client side HTTP server
You can add your local HTTP server via the player toolbar and make it available on the remote host where your session is running. In this way you can develop and test your web application directly inside the session, without the need for sharing or moving files from remote to local.

Connect to MySQL server behind a firewall
You can choose to add a remote server via the player toolbar. Select 'Custom' and specify MySQL and the port for the MySQL server, by default 3306. Once done, you can connect to that MySQL server via the MySQL client installed on your PC.

Disabling Network Port Forwarding
To forbid network server sharing it is necessary you uncomment and set a proper value for the EnableNetworkSharing key in the node configuration file: client Network servers on client side can be connected and made available within the session.
server Network server on the server side can be connected and made available on the end-user's machine.
both Network servers from client and server side can be connected to remote and local sides respectively.
none Neither client or server side network servers can be connected.

For example, to forbid users from connecting their local ports to the server, set in the node configuration:
EnableNetworkSharing server

When the smartcard reader plugged into the enduser's host is forwarded to the server host, the smartcard authentication is made available inside the session. It can be integrated on with Kerberos Ticket system for example for implementing single sign-on (SSO).

Disabling Smartcard readers' Forwarding
You can enable or disable support for smarcard forwarding by uncommenting and setting the EnableSmartcardSharing key in the node configuration to 1 or 0 respectively.

To disable it set in node configuration file:
EnableSmartcardSharing 0

By default users can copy and paste from local to the session and vice-versa.

You can configure the server to limit such operations by setting proper values in the configuration file as explained below.

Limiting copy & paste operations
To forbid copy & paste partially or totally, uncomment and set a proper value for the EnableClipboard key in the server configuration file:
client Content copied on the user's side can be pasted inside the session.
server Content copied inside the session can be pasted on the user's side.
none No copy and paste operations are allowed.
both Two-way copy and paste operations are allowed.

Limiting the Clipboard Buffer
By default, the clipboard buffer is unlimited. If you want, for example, to limit the clipboard buffer to 4MB, you have to uncomment and set the following key (value is espressed in bytes) in the node configuration file:
ClipboardBufferLimit 4194304

When a user is connected to the desktop, they have the possibility to transfer files by using the Connection Monitor tool from the system tray within the session. The user can transfer a file from their own PC to the remote host where the session is running and vice-versa. If multiple users are connected, each of them can send a file to a specific user or to all connected users. Drag and drop of a file is also supported

You can manage file transfer
from the UI
In the Settings -> Server -> Transfers panel

or via node configuration.

Disabling File Transfer
To forbid file transfer you have to uncomment and set a proper value for the EnableFileTransfer key in the node configuration file:
client Files can be transferred from client machine to the server.
server Files can be sent from the server to clients.
both Client and server files can be transferred on remote and local respectively.
none Neither client or server files can be transferred.

For example, to forbid users from transferring a file from the server to their PC:
EnableFileTransfer client

On Linux, NoMachine audio framework is integrated with PulseAudio sound server. If PulseAudio is not available on the system, NoMachine is able to use ALSA (Advanced Linux Sound Architecture). This is automatically managed by the NoMachine server so that multimedia support can work out of the box without the need for any configuration. If both PulseAudio and Alsa are available, the administrator might want to configure the node to use one or the other.

Disabling or Setting Audio Support
To disable audio and microphone support, uncomment and set the AudioInterface key to 'disabled' in the node configuration file:
AudioInterface disabled

On Linux it is possible to define whether PulseAudio Server or ALSA has to be used by setting AudioInterface key to 'pulseaudio' or 'alsa' respectively. For example:
AudioInterface pulseaudio

NoMachine can record in a video all activities made inside the session or on the desktop. To start the recording of the session, users should open the NoMachine menu inside the session (ctrl+alt+0) and click on the 'Recording' button icon to access the Recording panel. From this panel it's possible to open the recording bar, change audio and video quality and open the recording directory to access all recorded files. Session recording is not available with sessions on the web.

To register activities made on the desktop, start the recording from the !M icon menu in the system tray of the Terminal Server host and show the Recording bar from there. Desktop activities can be registered on the physical desktop without the need to be connected by NoMachine.

Recorded files are saved by default in WebM format and can be played back directly with NoMachine or any other player supporting that format. Video streams can be encoded only with VP8 or H.264 when supported. Recorded files are saved by default on the user's device in the NoMachine directory under the 'Documents' directory.

Disabling session recording
To prevent users from recording their session activities, edit the node configuration to set:
EnableSessionRecording 0

Disabling desktop recording
To prevent users from recording desktop activities, even when physically logged into the Terminal Server host, edit the node configuration to set:
EnableLocalRecording 0