Adding a new option to server commands for directing users to a given server federated under a CS

ID: FR03O03388 Priority: High
Products: NoMachine Server Target: 6
Status: Implemented  

This feature applies only to NoMachine Cloud Server (CS) version 6 or later.

A new option, --forward-connection, will permit administrators to specify to which server, among those servers federated under the CS, the user's connection will be directed. When this option is set, user will not see the list of the available servers federated under the CS, but will be immediately routed to the given child server.

The user's connection will be directed to the child server according to the client's protocol (NX or SSH) and the forward method set for the federated server. Supported methods are: token, system and tunnel. Note that in case of foreign servers (Unix-based hosts not running NoMachine software)  the forward method necessarily has to be 'tunnel' or users cannot be directed to such host. See also https://www.nomachine.com/FR03O03376 for more details about the available options for setting the forward method via the the nxserver --serveradd/serveredit commands.


The --forward-connection option can be set on a per user-basis or on a per-group basis.

When the user belongs to multiple groups, the directive set for the group with highest priority overrides the other settings.

 

Differences between the --redirect option and the new --forward-connection option

The --redirect directive, already available with servers v. 4 and 5, can be applied to route the user's connection to whichever NoMachine server. The --forward-connection directive, a feature of Cloud Server v.6, permits to assign users to a specific server being part of a multi-host infrastructure. It therefore requires that the given server is federated under a Cloud Server.

 

How to set the --forward-connection option

There are two ways:

a) by using server commands to add and edit users and groups of users (nxserver --useradd/groupadd; nxserver --useredit/groupedit)

or:

b) by setting a profile rule.

These two methods are fully equivalent, in case of guests users (system accounts automatically generated on demand) it's necessary to use profile rules.

 


Server commands in detail

1) Server commands to add/edit/list users

--useradd <username> [--system [--home <homedir> | --nohome]
                                     [--gid <gid>]  [--uid <uid>]]
                                     [--administrator]
                                     [--redirect <server:port>]
                                     [--group <groupname>]
                                     [--trusted [virtual | physical]]
                                     [--screensharing yes|no]
                                     [--forward-connection <server:port>|<uuid>]

  Add the user to the NoMachine backend when a system account already
  exists for this user. Inserting a password is requested if server is
  configured to use the NoMachine password. Specify --system to create
  the system account if it doesn't exist yet. In this case --home or
  --nohome, --gid and --uid can be given to override system or server
  configuration. These options are not available on Windows platforms.
  Specify --administrator to grant NoMachine administrative rights to
  the user. If server supports redirection, use --redirect to set IP
  or hostname and port for the NoMachine server where connections run
  by this user are forwarded. Specify --group to add the user to an
  already existent group of users. Use --trusted to allow the given
  user to connect to another user's desktop without the need for the
  owner's approval. Specify 'virtual' or 'physical' for limiting the
  --trusted authorization to connections to physical desktops or to
  virtual desktops only. When sharing the physical desktop is enabled
  in the server configuration, use --screensharing to preconfigure
  personal user's settings and allow or forbid connections to the
  user's physical desktop. The user will be still able to change this
  setting from the GUI inside the session.  Use --forward-connection
  to forward the user's connection to a federated server identified by
  its name (<server:port>) or id (<uuid>) as it appears in the output
  of the 'nxserver --serverlist --extended' command.

--useredit <username> --redirect <server:port> | --group <groupname> |
                      --trusted virtual | physical | none |
                      --administrator [yes | no] |
                      --screensharing [yes | no] |
                      --forward-connection <server:port>|<uuid>

  Use --redirect to modify IP or hostname and port for the NoMachine
  server where connections run by the user are redirected. Specify
  '--redirect none' to disable redirection for this user. Use --group
  to add the user to a group of users and '--group none' to remove the
  user from that group. Use --trusted to allow the user to connect to
  another user's desktop without the need for the owner's approval.
  Specify 'virtual' or 'physical' to limit the --trusted authorization
  to connections to physical desktops or to virtual desktops only.
  Provide 'none' instead to remove this ability. Use --administrator
  to grant NoMachine administrative rights to the user, or specify
  'no' to remove them. When sharing the physical desktop is enabled
  in the server configuration, use --screensharing to configure
  personal user's settings and allow or forbid connections to the
  user's physical desktop. The user will be still able to change this
  setting from the GUI inside the session. Use --forward-connection
  to forward the user's connection to a federated server identified
  by its name (<server:port>) or id (<uuid>) as it appears in the
  output of the 'nxserver --serverlist --extended' command. In order
  to disable auto-forwarding for this user, use ‘--forward-connection
  none’.

--userlist [<username>][--guest [--home] | --administrator | --trusted |
            --screensharing yes|no]

  List all users present in the NoMachine backend and enabled to log-
  in. If --guest is specified, list only guest users enabled to login
  In this case when --home is given, list guests still having their
  system home, but already expired. If --administrator is specified,
  list only NoMachine administrators. If --trusted is provided, list
  only users allowed to connect to other users' desktops without the
  need for the owner's approval. Provide '--screensharing yes' to
  list only those users with a personal configuration that allows the
  sharing of their physical desktop. Use '--screensharing no' to
  see which users disabled the sharing of their screen. When
  <username> is provided, display details only about this user.

 

When --forward-connection is set, the output of the 'nxserver --userlist' command displays the target server (identified by its uuid) in the 'Forwarded to' field:

nxserver --userlist
NX> 149 NX users list
 

53532db3-0626-4074-ae50-a87ab1f84538

 

The output of the 'nxserver --userlist <username>' command provides information about the given user in the following format:

nxserver --userlist nxtest01
NX> XXX NX Details for user 'nxtest01':
Redirected to:
Trusted for: virtual
Screen sharing:  enabled
Access: enabled
Forwarded to:

GroupnamePriorityRedirected toTrusted forUsersForwarded totesters1 physicalnxtest01,nxtest0253532db3-0626-4074-ae50-a87ab1f84538

 

3) Server commands to set and manage profile rules

The general format of the server command to set a profile rule to forward the user's connection to the target server is:

nxserver --ruleadd --class server --type forward-connection --value <server:port>  OPTION

The target server is identified by its name (<server:port>) or id (<uuid>) as it appears in the output of the 'nxserver --serverlist --extended' command.

OPTION can be any of the following:

--system   
to apply the rule to all users connecting to this Cloud Server.
 
--user USERNAME
to set the rule on a per-user basis. The rule will be applied to the specified user only.

--guest
to apply the rule only to guest accounts.   

--group GROUP
to set the rule on a per-group basis. The rule will be applied to the specified group only.