Windows Applications

This section describes how to configure Windows application objects.

This section includes the following topics:

• Configuring Windows Application Objects

• Creating Windows Application Objects on the Command Line

• Configuring Microsoft Windows Terminal Services for Use With SGD

• Licensing Microsoft Windows Terminal Services

• Microsoft Windows Remote Desktop

• Seamless Windows

• Key Handling for Windows Terminal Services

• Returning Client Device Information for Windows Terminal Services Sessions

• The SGD Remote Desktop Client

• Running Windows Applications on Client Devices

Configuring Windows Application Objects

You use a Windows application object if you want to give a Microsoft Windows graphical application to users.

In the Administration Console, the configuration settings for Windows application objects are divided into the following tabs:

• General tab – These settings control the name and the icon used when creating links for users

• Launch tab – These settings control how the application is started and whether application sessions can be suspended and resumed

• Presentation tab – These settings control how the application is displayed to users

• Performance tab – These settings are used to optimize the performance of the application

• Client Device tab – These settings control how the user’s client device interacts with the application

The following table lists the most commonly used settings for configuring Windows application objects, and how to use them.

Attribute Description Name The name that users see. Icon The icon that users see. Application Command The full path to the application that runs when users click the link. The application must be installed in the same location on all application servers. Leave this field blank if you want to run a Windows desktop session. Arguments for Command Any command-line arguments to use when starting the application. SGD Remote Desktop Client By default, the SGD Remote Desktop Client is used to run the application on the Microsoft Windows application server. SGD uses the Microsoft RDP protocol to connect to the application server. See Configuring Microsoft Windows Terminal Services for Use With SGD. Local Client Launch Select the Local Client Launch to run the application on the user’s client device. See Running Windows Applications on Client Devices. Domain Name The Windows domain to use for the application server authentication process. This can be left blank. The domain can also be configured on either the application server or the user profile. See also Windows Domains and the Password Cache. Number of Sessions The number of instances of an application a user can run. The default is three. Application Resumability For how long the application is resumable. The following options are available: Never – The application can never be resumed During the User Session – The application keeps running and is resumable until the user logs out of SGD General – The application keeps running for a time, controlled by the Timeout setting, after the user logs out of SGD, and can be resumed when the user next logs in Window Type How the application is displayed to the user. Use Kiosk for full-screen desktop sessions. Selecting the Scale to Fit Window check box for the Window Size enables SGD to scale the application window to fit the client device display. For Independent Window, you must specify a Height and Width for the Window Size or select the Client’s Maximum Size check box. Use Seamless Window mode to the application in the same way it displays on the Windows application server, regardless of the user’s desktop environment. See Seamless Windows. Color Depth The application’s color depth. See Color Depth for more details. Application Load Balancing How SGD chooses the best application server to run the application. See Application Load Balancing for more details. Hosting Application Servers tab Use the Editable Assignments table to select the application servers, or group of application servers, that can run the application. The application must be installed in the same location on all application servers Assigned User Profiles tab Use the Editable Assignments table to select the users that can see the application. Selecting Directory or Directory (light) objects enables you to give the application to many users at once. You can also use a Lightweight Directory Access Protocol (LDAP) directory to assign applications. See LDAP Assignments.

In addition to this configuration, you can also configure the following:

• Printing – See Printing.

• Client drives – See Client Drive Mapping.

• Audio – See Audio.

• Smart cards – See Smart Cards.

• Copy and paste – See Copy and Paste.

• Serial ports – See Serial Ports.

Creating Windows Application Objects on the Command Line

On the command line, you create an Windows application object with the tarantella object new_windowsapp command. You can also create multiple Windows application objects at the same time with the tarantella object script command. See Populating the SGD Organizational Hierarchy Using a Batch Script.

Windows application objects can only be created in the o=applications organizational hierarchy.

Configuring Microsoft Windows Terminal Services for Use With SGD

Configuring a Windows application object enables you to use the features of Microsoft Windows Terminal Services.

The Terminal Services features supported by SGD and the application server platforms on which they are supported are listed in the Oracle Secure Global Desktop 4.6 Platform Support and Release Notes available at http://docs.sun.com/app/docs/doc/821-1928.

There are many possible configuration settings for Microsoft Windows Terminal Services. For detailed information on configuring Terminal Services, see your system documentation. To use Terminal Services with SGD, the settings you might have to configure include the following:

• Authentication Settings

• Session Resumability and Session Directory

• Windows Printer Mapping

• Drive Redirection

• Encryption Level

• Multiple Terminal Services Sessions

• Remote Desktop Users

• Time Zone Redirection

• Audio Redirection

• Smart Card Device Redirection

• COM Port Mapping

• Color Depth

• Transport Layer Security

• Terminal Services Group Policies

• Keep Alive Configuration for Windows Terminal Servers

Authentication Settings

You must configure Windows Terminal Services so that it does not prompt for a password when a user logs in.

By default, Windows 2000 Server always prompts for a password when users log in, whether or not SGD supplies the password for the application server from its password cache. By default, Windows Server 2003 or later, does not prompt for passwords.

Session Resumability and Session Directory

With Windows Terminal Services, users’ sessions can continue to run following a connection loss.

If you are not using Session Directory, it is best to disable this feature on the Windows Terminal Server, and let SGD handle session resumability. This prevents unnecessary use of resources on the application server, and ensures that if users share accounts on the application server, they do not resume each other’s Windows sessions. To disable this feature, you must select End Session for the When Session Limit Is Reached Or Connection Is Broken option in Terminal Services Configuration.

If you are using Session Directory to handle session resumability, you must select Suspend Session for the When Session Limit Is Reached Or Connection Is Broken option in Terminal Services Configuration. To use Session Directory, you must also configure the Window Close Action attribute for Windows application objects to End Application Session.

Windows Printer Mapping

To support printing to client printers from a Windows Terminal Server session, Windows printer mapping must be enabled. Windows printer mapping is enabled by default.

Drive Redirection

To support mapping of client drives in a Windows Terminal Server session, drive redirection must be enabled. Drive redirection is enabled by default.

Encryption Level

You can only use the Low, Client-compatible, or High encryption levels with SGD. SGD does not support the Federal Information Processing Standards (FIPS) encryption level.

Multiple Terminal Services Sessions

By default, a Microsoft Windows Server only allows users to start one Terminal Services session. If a user starts another desktop session, or another instance of an application with the same arguments, the second Terminal Services session grabs the first session and disconnects it. This means that it is not possible to start two desktop sessions, or two instances of the same application, on the same Windows Server.

On Microsoft Windows Server 2003 or later application servers, you can enable support for multiple Terminal Services sessions.

Remote Desktop Users

For Microsoft Windows Server 2003 or later application servers, users can only use Terminal Services if they are members of the Remote Desktop Users group.

Time Zone Redirection

Client computers can redirect their time zone settings to the Terminal Server, so that users see the correct time for their time zone in their desktop or application sessions. Terminal Services uses the server base time on the Terminal Server and the client time zone information to calculate the time in the session. This feature is useful if you have client devices in different time zones. By default, this feature is disabled.

In the Administration Console, the Time Zone Map File attribute on the Global Settings -> Client Device tab specifies a file that contains mappings between UNIX platform client device and Windows application server time zone names.

Audio Redirection

To play audio from a Windows Terminal Server session, audio redirection must be enabled on the application server. By default, audio redirection is disabled.

Smart Card Device Redirection

To use a smart card reader from a Windows Terminal Server session, smart card device redirection must be enabled on the application server. By default, smart card device redirection is enabled.

COM Port Mapping

To access the serial ports on the client device from a Windows Terminal Server session, COM port mapping must be enabled on the application server. By default, COM port mapping is disabled.

Color Depth

SGD supports 8-bit, 16-bit, 24-bit, and 32-bit color depths in a Windows Terminal Server session.

32-bit color is available on Windows Vista, Windows Server 2008, Windows Server 2008R2, and Windows 7 platforms. For a 32-bit color depth, the client device must be capable of displaying 32-bit color.

15-bit color depths are not supported. If this color depth is specified on the Terminal Server, SGD automatically adjusts the color depth to 8-bit.

Transport Layer Security

From Microsoft Windows Server 2003 and later, you can use Transport Layer Security (TLS) for server authentication, and to encrypt Terminal Server communications. SGD does not support the use of TLS.

Terminal Services Group Policies

For Windows Server 2003 and later, Terminal Services settings can be configured using Group Policy, as follows:

• Individual Windows Terminal Servers can be configured using a Local Group Policy Object (LGPO). In the Group Policy Object Editor, the Terminal Services settings are at: Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\Terminal Services

• Multiple Windows Terminal Servers can be configured using a Group Policy Object (GPO), linked to a domain or organizational unit (OU).

To improve performance, you might want to configure some or all of the following policies:

• Keep-Alive Connections. This policy specifies a keep alive time interval for the Terminal Services session. See also Keep Alive Configuration for Windows Terminal Servers.

• Limit Maximum Color Depth. This policy controls the display color depth on client devices. See Microsoft Knowledge Base article 278502 for details of how to set this policy.

Keep Alive Configuration for Windows Terminal Servers

If you find that the connection between the SGD server and the Windows Terminal Server is being dropped unexpectedly, you might need to configure the keep alive mechanism for the Windows Terminal Server.

How to do this is described in Microsoft Knowledge Base article 216783.

Licensing Microsoft Windows Terminal Services

SGD does not include licenses for Microsoft Windows Terminal Services. If you access terminal server functionality provided by Microsoft operating system products, you need to purchase additional licenses to use such products. Consult the license agreements for the Microsoft operating system products you are using to determine which licenses you must acquire.

Terminal Services licensing is done using a CAL. A CAL is a license that allows a client to access the Windows Terminal Server. Depending on the licensing mode, a client can be either a user, or a device, or a combination of both.

Client license management for Microsoft Windows Terminal Services varies according to the client platform, as follows:

• Windows platforms. CALs for client devices that connect to the Terminal Server are allocated in accordance with Microsoft policy. CALs are stored in the Windows registry on the client device.

• UNIX, Linux, or Mac OS X platforms. CALs for client devices that connect to the Terminal Server are stored in a license pool in the datastore on the SGD server. Management of this license pool is done by the SGD Administrator, using the tscal command. See Managing CALs From the Command-Line .

Managing CALs From the Command-Line

You can use the tarantella tscal command to manage Microsoft Windows Terminal Services CALs for non-Windows client devices, as follows:

• To list the Terminal Services CALs currently reserved for non-Windows client devices, type the following:

  $ tarantella tscal list

• To free a Terminal Services CAL for use by another non-Windows client devices, type the following:

  $ tarantella tscal free

• To return all free Terminal Services CALs to the Windows License Server, type the following:

  $ tarantella tscal return --free

Microsoft Windows Remote Desktop

Some editions of Microsoft Windows include a Remote Desktop feature that enables you to access a computer using Microsoft RDP. You can use SGD and Remote Desktop, for example, to give users access to their office PC when they are out of the office.

The supported platforms and features for Remote Desktop are listed in the Oracle Secure Global Desktop 4.6 Platform Support and Release Notes available at http://docs.sun.com/app/docs/doc/821-1928.

Before introducing SGD, ensure that the Remote Desktop connection to the Microsoft Windows computer is working.

You configure SGD for use with Remote Desktop as follows:

• Create an application server object for each Microsoft Windows computer.

• Create a Windows application object for the Windows desktop application.

  To ensure users access their own computer, you have to create separate Windows desktop application objects for each Microsoft Windows computer.

See Using My Desktop for details of how to run a full-screen desktop session, without displaying the SGD webtop.

Seamless Windows

With seamless windows, the Microsoft Windows application server manages the display of the application. This means an application’s windows behave in the same way as an application displayed on the application server, regardless of the user’s desktop environment. The window can be resized, stacked, maximized, and minimized. The Windows Start Menu and Taskbar are not displayed when using seamless windows.

Seamless windows are not suitable for displaying Windows desktop sessions. Use a kiosk or independent window instead.

The following are the conditions for using seamless windows:

• The SGD Enhancement Module for Windows must be installed on the application server.

• The Windows application object must be configured with a Window Type of seamless window.

If any of the above conditions are not met, SGD displays the Windows application in an independent window instead.

Notes and Tips on Using Seamless Windows

The following are some notes and tips on displaying applications in seamless windows:

• If an application is displayed in a seamless window, you can toggle between a seamless window and an independent window by pressing the Scroll Lock key. This does not work if the SGD Client is in Integrated Mode.

• Applications that have non-rectangular windows, for example, a media player with a customized skin, display in a rectangular window.

• On Windows client devices, seamless windows are not affected by the Cascade, Tile Windows Horizontally, or Tile Windows Vertically window commands.

• If a screen saver or the Windows Security dialog displays, the window automatically switches to an independent window. Unlocking the application automatically restores the window to a seamless window.

• If a seamless window application is resumed on a display that is larger or smaller in size than the original session, the application is displayed in an independent window.

• Each application displaying in a seamless window has its own RDP connection.

• Applications configured to display in seamless windows might not display correctly when accessed from a Gnome 2.0.0 Desktop. This is caused by an unpatched version of the Metacity Window Manager. The solution is to install the Gnome 2.0.0 Window Manager patch. Patch ID: 115780, available from the Sun Support Center at http://www.sun.com/support.

Key Handling for Windows Terminal Services

You can configure how SGD handles keyboard presses on the client device in a Windows Terminal Services session, as follows:

• Supported Keyboard Shortcuts for Windows Terminal Services

• The Windows Key and Window Management Keys

• Configuring Windows Keyboard Maps

Supported Keyboard Shortcuts for Windows Terminal Services

SGD supports the following keyboard shortcuts for Windows Terminal Services sessions.

Keyboard Shortcut Description Ctrl-Alt-End Displays the Windows Security dialog. Alt-Page Up Switches between windows, from left to right. Alt-Page Down Switches between windows, from right to left. Alt-Insert Cycles through windows, in the order they were opened. Alt-End Displays the Windows Start menu. Alt-Delete Displays the pop-up menu for the current window. Ctrl-Alt-Minus Use the Minus (-) key on the numeric keypad. Places a snapshot of the active client window on the Windows Terminal server clipboard. Provides the same functionality as pressing Alt-PrintScrn on a local computer. Ctrl-Alt-Plus Use the Plus (+) key on the numeric keypad. Places a snapshot of the entire client window area on the Windows Terminal server clipboard. Provides the same functionality as pressing PrintScrn on a local computer. Alt-Ctrl-Shift-Space Minimizes the active window. Only applies for kiosk mode.

The Windows Key and Window Management Keys

In SGD Windows Terminal Services sessions, the Windows key and keyboard shortcuts for managing windows can be sent either to the remote session or acted on locally. By default, they are acted on locally.

For Windows applications objects that are configured to display in kiosk mode, the Window Management Keys (--remotewindowkeys) attribute controls keyboard shortcut behavior. To send the Windows key and window management keys to the remote session, do either of the following:

• In the Administration Console, go to the Client Device tab for the Windows application object and select the Window Management Keys check box.

• Use the following command:

  $ tarantella object edit --name obj --remotewindowkeys 1

If the Windows key and window management keys are sent to the remote session, use the key sequence Alt-Ctrl-Shift-Space to exit kiosk mode. This minimizes the kiosk session on the local desktop. Alternatively, to exit kiosk mode you can use the Kiosk Mode Escape (--allowkioskescape) attribute to enable a pull-down header for the application window. The pull-down header includes icons for minimizing and closing the kiosk session.

For Windows applications objects that are not configured to display in kiosk mode, you can force the Windows key to be sent to the remote session by using the -windowskey option for the SGD Remote Desktop Client. To send the Windows key to the remote session, do either of the following:

• In the Administration Console, go to the Launch tab for the Windows application object and type -windowskey on in the Arguments field.

• Use the following command:

  $ tarantella object edit --name obj --protoargs "-windowskey on"

Configuring Windows Keyboard Maps

The process of configuring Windows keyboard maps in SGD is the same as that used for configuring keyboard maps for X applications. See also Keyboard Maps.

Returning Client Device Information for Windows Terminal Services Sessions

By default, when you run a Windows application through SGD using the Microsoft RDP protocol, the host name of the client device is returned in the %CLIENTNAME% environment variable for the Windows Terminal Services session. When you use a Sun Ray Desktop Unit (DTU) client device, the DTU ID is returned in the %CLIENTNAME% environment variable. The DTU ID is the hardware address of the Sun Ray.

The DTU ID can be used to specify the name of the client device in the wcpwts.exp login script. SGD uses this login script for all Windows applications that connect using the Microsoft RDP protocol.

The SGD Remote Desktop Client

The SGD Remote Desktop Client, also known as ttatsc, is a client program that handles the connection between the SGD server and the Windows Terminal Server.

The syntax for running ttatsc from the command line is as follows:

ttatsc [-options..] server.example.com

where server.example.com is the name of a Windows Terminal Server.

You can use the ttatsc to configure Windows Terminal Services sessions in the following ways:

• Configure attributes for the Windows application object. Some of the ttatsc command options are available as attributes for a Windows application object. These are indicated in the following table.

• Configure the Arguments (--protoargs) attribute of the Windows application object. Using this attribute, you can specify ttatsc command options used for a Windows application object.

• Edit the wcpwts.exp login script, and specify ttatsc command options. Any changes you make to this file are used for all Windows applications that connect using the Microsoft RDP protocol.

The following options are supported for the ttatsc command.

Option Description -application application The application to run in the Terminal Services session. -audioquality low|medium|high Sets the quality of the audio redirection. -bulkcompression on|off Enable or disable data compression for the connection. -console Instead of starting a normal RDP session, connect to a console session. This option is available as the Console Mode (--console) attribute for a Windows application. -crypt on|off Configures encryption for the connection. The default setting, on, gives the best user experience. -default depth Whether to let the Terminal Server set the default color depth of the X session. -desktop Whether to display a full screen desktop session. -dir working_dir Working directory for the Terminal Services session. This can be overridden by the application. This option is available as the Working Directory (--workingdir) attribute for a Windows application. -display X display The X display to connect to. -domain domain Domain on the Terminal Server to authenticate against. -keyboard language_tag Input locale. Specify an RFC1766 language tag. -name client name Name of the client device. -netbiosname name NetBIOS name for the client device. This is used for the redirected printer names on the Terminal Server. -noaudio Disables audio redirection. -nofork Do not run ttatsc as a background process. -noprintprefs Do not cache printer preferences. This option is available as the Printer Preference Caching (--noprintprefs) attribute for a Windows application. -opts file Read command options from a file. See Using a Configuration File for details. -password password Password for the Terminal Services user. -perf disable wallpaper|fullwindowdrag| menuanimations|theming|cursorshadow|cursorsettings Disable display options, to improve performance. The available settings are: wallpaper – Disable the desktop wallpaper. This option is available as the Desktop Wallpaper (--disablewallpaper) attribute for a Windows application. fullwindowdrag – Disable the option to show window contents when moving a window. This option is available as the Full Window Drag (--disablefullwindowdrag) attribute for a Windows application. menuanimations – Disable transition effects for menus and tooltips. This option is available as the Menu Animations (--disablemenuanimations) attribute for a Windows application. theming – Disable desktop themes. This option is available as the Theming (--disabletheming) attribute for a Windows application. cursorshadow – Disable the mouse pointer shadow. This option is available as the Cursor Shadow (--disablecursorshadow) attribute for a Windows application. cursorsettings – Disable mouse pointer schemes and customization. This option is available as the Cursor Settings (--disablecursorsettings) attribute for a Windows application. To disable multiple display options, use multiple -perf disable options. -perf enable fontsmoothing Turns on font smoothing for text on the desktop. This option is available as the Font Smoothing (--enablefontsmoothing) attribute for a Windows application. -port port RDP port to connect to on the Terminal Server. The default setting is 3389. -printcommand command This option is deprecated. -remoteaudio Leaves audio at the Terminal Server. This option is available as the Remote Audio (--remoteaudio) attribute for a Windows application. -sharedcolor Do not use a private color map. -size width height Display width and display height for the Terminal Services session, in pixels. -spoil This option is deprecated. -stdin Read command options from standard input. Used by the login scripts to pass command options to ttatsc. -storage data_dir This option is deprecated. -swmopts on|off Enable local window hierarchy for applications that use seamless windows. Needed for some Borland applications. -timeout connect secs Timeout for connecting to the Terminal Server, in seconds. -timeout establish secs Timeout for establishing an RDP connection, in seconds. -uncompressed This option is deprecated. -user username User name for the Terminal Services user. -windowskey on|off Whether to enable or disable Windows key for the Terminal Services session. The default setting is on.

Using a Configuration File

A configuration file is a text file containing the ttatsc command-line options to be used for the connection. Each option must be on a separate line without the leading dash (-). The argument and its value are separated by whitespace. Use either single or double quotes to enclose any literal whitespace.

The escape character is \.The following escape sequences are supported:

• \n is a new line (0xA)

• \r is a carriage return (0xD)

• \t is a tab (0x9)

• \\ is a literal \

• \" is a literal double quote not used for delimiting quoted arguments

• \'is a literal single quote not used for delimiting quoted arguments

The following is an example configuration file:

u "Indigo Jones"
p "Wh1teh4ll"
a "C:\\program files\\notepad.exe"
naples.indigo-insurance.com

Running Windows Applications on Client Devices

You can run a Windows application on a client device, instead of displaying it through SGD. If the application is not available on the client device, and the SGD Remote Desktop Client check box is selected, SGD tries to run it on the application server.

Applications that run on client devices are not resumable, even if the Application Resumability is configured.

The application must be installed in the same location on all client devices.