NoMachine Support

Your questions answered

Knowledge Base

Searching in: Feature Requests
Filter the search results
Target version:
Last update:
Searching in: Feature Requests
ID: FR02S04078
Added on:  2021-02-19
Last update: 2021-03-03
Priority: High
Products: NoMachine Server
Implemented in: 7.2.3
Status:  Implemented
Changing the default forward methods for Cloud Server nodes

Cloud Server v. 6 and current v. 7 use as default methods for forwarding client connections to its nodes: ('child servers') 'token,tunnel' for connections by NX protocol and 'system,tunnel' for connections by SSH protocol.

These settings assume that the Cloud Server can connect directly to its nodes (by using 'token' or 'system'). When nodes are not directly accessible, for example because the Cloud Server is in a DMZ zone, it switches to 'tunnel' method after having tried the previous method. This can potentially introduce up to 30 seconds delay in the time clients can connect to the requested nodes.

In this case, i.e. when the nodes are not in the same network, it is necessary to configure the Cloud Server to always use the 'tunnel' method.

With the implementation of this Feature Request, the default method for forwarding client connections will change to 'tunnel' for both protocols, which corresponds to the following:

nxserver --serveredit <node:port> --forward-nx-methods tunnel
nxserver --serveredit <node:port> --forward-ssh-methods  tunnel

Where <node:port> is the name of the node under the Cloud Server, as it appears in the output of the  'nxserver --serverlist --extended' command.

Changing the default forward method to 'Tunnel' will guarantee in normal conditions and when Cloud Servers are installed as gateways behind a NAT, added for example to permit the internal access to users located anywhere on a large LAN or on the Internet, a connection time in the order of a few hundred milliseconds. Before, these connections would have taken up to 10 or also 30 seconds to be successfully completed.

In the case of Cloud Server and nodes in the same network (LAN or VPN), i.e. when the Cloud Server can connect directly to its nodes, the administrator can configure the main server to use 'token' for connections by NX protocol and 'system' for those by SSH protocol.

For client connections by NX protocol:
nxserver --serveredit <node:port> --forward-nx-methods token

For client connections by SSH protocol:
nxserver --serveredit <node:port> --forward-ssh-methods  system

Some definitions:
i) Tunnel - The client traffic is relayed through the Cloud Server with the protocol specified for the server-to-node communication (command 'nxserver --serveradd <server> [--protocol NX|SSH]' )

ii) Token - The client will authenticate to the node with OTP, a One Time Password token which uniquely identifies the client. The connection will be forwarded to the node after the user has been authorized on the Cloud Server.

iii) System - The client will authenticate to the node by using the same credentials already used for authenticating on the Cloud Server host. The connection will be forwarded after the user has been authorized on the Cloud Server.

Server usage:

--serveradd <server> [--protocol NX|SSH][--port <port>][--foreign][--target <uuid>]
                     [--forward-nx-methods token|system|tunnel]
                     [--forward-nx-host <server>] [--forward-nx-port <port>]
                     [--forward-ssh-methods token|system|tunnel]
                     [--forward-ssh-host <server>] [--forward-ssh-port <port>]
                     [--direct-access yes|no]
                     [--manual-selection yes|no]
                     [--label <label>]
                     [--comment <comment>]
                     [--strict-host-key-checking yes|no]
                     [--auth-required yes|no]
                     [--servergroup <groupname>]

  Federate a remote host under this server, where <server> is IP or
  hostname of the remote host. Server-to-server communication uses by
  default NX protocol and port 4000. Change this by using --protocol
  and --port. To add a child server to a different parent server and
  build a multi-tier hierarchy, specify --target <uuid> where <uuid>
  is the id of the parent server. Provide --foreign to add Unix-like
  stations not supported by NoMachine software. By default client
  connections are forwarded to the child server by 'tunnel' method.  
  When the client can connect directly to the child server, it's  
  possible to use 'token' for connections by NX protocol and 'system'
  for connections by SSH by means of the --forward-nx-methods and
  --forward-ssh-methods options. They accept a comma-separated list
  of values ('token', 'system' and 'tunnel') in a positional order.
  Connections to foreign X servers can use only 'tunnel'.
  parameters permit to route the client to a NoMachine server through
  a specific network interface and port: --forward-nx-host <server>
  and --forward-nx-port <port> for the NX protocol; --forward-ssh-
  host <server> and --forward-ssh-port <port> for SSH. A NoMachine
  child server by default doesn't accept users' direct connections.
  Use '--direct-access yes' to allow it.
By default, users can select
  the remote server. Use '--manual-selection no' to exclude a server
  from the list. The --label option permits to assign a name or short
  note to the server, displayed to users. Provide --comment to add
  a longer text visible only to administrators. For adding auto-
  matically the host key to known_hosts file (if SSH is used) or to
  client.crt (if NX protocol is used) on the server without being
  prompted to accept the key, set --strict-host-key-checking to 'no'.
  Set --auth-required to 'yes' to request username and password when
  the user connects to the child server in order to authenticate with
  separate accounts. This is not available for the 'token' method.
  Provide --servergroup option to add the server to an existent group
  of servers.