Accessing Remote Desktop using VNC on Dell PowerEdge Servers and MX7000 Modular Infrastructure This technical white paper provides information about establishing secure remote desktop connections to server host operating systems (OS) by using the standard VNC clients. Abstract Dell EMC PowerEdge servers support efficient and secure remote management tools.
Revisions Revisions Date Description Sep 2018 Initial release Acknowledgements This paper was produced by the following members of the Dell EMC Server and Infrastructure Systems team: Authors Saurabh Kishore — Software Principal Engineer Alex Rote — Software Senior Engineer The information in this publication is provided “as is.” Dell Inc.
Acknowledgements Contents Revisions.............................................................................................................................................................................2 Acknowledgements .............................................................................................................................................................2 Executive summary............................................................................................................
Acknowledgements Technical support and resources ......................................................................................................................................36 A.1 4 Related resources ............................................................................................................................................
Executive summary Executive summary Dell EMC PowerEdge servers support efficient and secure remote management tools. Virtual Network Computing (VNC) technology is incorporated in the iDRAC Enterprise firmware to support open and easy-touse remote desktop functionality. This functionality is in addition to the browser-based remote console support accessible on the iDRAC GUI. With the VNC server enabled on iDRAC, IT admins can easily and securely access the OS running on the server by using a VNC client.
1 Introduction Remote Desktop connections are useful in provisioning, monitoring, and troubleshooting systems. Similar to other remote desktop technologies, VNC servers and clients allow for a virtual keyboard, video, and mouse device (KVM) connection to the host OS. VNC clients are available for a variety of desktop and mobile platforms.
2 Configuring the iDRAC VNC server The iDRAC VNC server is disabled by default and must be configured to be used. There are a number of general- and security-related settings. The iDRAC VNC settings may be configured by using the web GUI or RACADM Command Line Interface (CLI) as described in this document. Settings may also be changed by using programmatic interfaces such as WS-Man. For more information about WS-Man, see the Dell Tech Center resources provided in Technical support and resources. 2.
2.3 Security-Related VNC server settings The iDRAC VNC server supports three major operating modes: Mode Description VNC over SSH Dell 14G servers support VNC over SSH. This mode is automatically enabled if both VNC and SSH are enabled; SSH is enabled by default. To use VNC over SSH, authenticate to SSH with iDRAC credentials (username/password). Note—VNC over SSH is not compatible with VNC over TLS. When using VNC over SSH, set the SSL Encryption setting to disabled.
VNC encryption is disabled The VNC security attributes are as follows: Attribute Description VNC Password Use this to set a VNC password. This password is used only by VNC. It is shared among all VNC connections and is not associated with a username. Note—Anyone with this password and network connectivity to the iDRAC will be able to establish a remote desktop connection to this server. 9 Confirm Password When setting a VNC password, reenter the password here to verify it was entered correctly.
2.4 Configuring VNC by using the iDRAC GUI To configure VNC settings by using the iDRAC GUI: 1. Connect to the iDRAC by using a web browser 2. Navigate to the iDRAC VNC settings a. On a 14G server (or blade), click Configuration Virtual Console and scroll down to the VNC section. See Figure 1. b. On a 13G or 12G server, click iDRAC Settings Network in the navigation page, click the Services tab, and then go to the VNC Server settings by using the link at the top of the page. See Figure 2. 3.
The 13G or 12G iDRAC GUI VNC settings 2.5 Configuring VNC by using RACADM CLI 1. Start a RACADM session by using the Dell Remote RACADM client or an SSH client such as PuTTY. 2. Check the existing VNC Server settings: /admin1-> racadm get idrac.vncserver [Key=idrac.Embedded.1#VNCServer.1] Enable=Disabled !!Password=******** (Write-Only) Port=5901 SSLEncryptionBitLength=Disabled Timeout=300 3. To get possible values for a configuration option, run the help command: /admin1-> racadm help idrac.vncserver.
4. Enable the VNC Server and configure necessary settings: /admin1-> racadm set idrac.vncserver.enable 1 [Key=idrac.Embedded.1#VNCServer.1] Object value modified successfully /admin1-> racadm set idrac.vncserver.timeout 600 [Key=idrac.Embedded.1#VNCServer.1] Object value modified successfully 5. Ensure that the values are set correctly: /admin1-> racadm get idrac.vncserver [Key=idrac.Embedded.1#VNCServer.
3 Connecting Windows with SSVNC Integrated Tunneling SSVNC is a VNC client that includes integrated support for VNC over SSH and VNC over TLS encryption protocols, allowing it to connect to iDRAC securely without configuring multiple applications. It has been tested with the iDRAC with and without secure tunneling enabled. This open-source software is available for free download from the project repository. Note—SSVNC is also available for Linux/Unix and Mac OS X. 3.
Connecting VNC by using SSVNC 3. The radio button selection should match the iDRAC configuration. To use VNC over SSH, select Use SSH. 4. Else, if SSL Encryption is enabled in the iDRAC VNC Server settings, ensure that Use SSL is selected. Else, None must be selected. 5. Click Connect to start the VNC connection. 6. If SSH is used, you may be prompted to accept the server's SSH key and you will be prompted to enter the iDRAC password associated with the SSH username.
Note—You can view the iDRAC SSL certificate in a web browser or iDRAC GUI. If the certificate information does not match, it may indicate a security issue and you should terminate the connection. For more information see the corresponding iDRAC User's Guide: http://en.community.dell.com/techcenter/systems-management/w/wiki/3204.dell-remote-access-controller-dracidrac. c. Click Save in the Import/Save SSL Certificate dialog box to save the certificate and continue. d.
4 Connecting Windows with RealVNC and external tunnels RealVNC is a simple VNC viewer client package. Because RealVNC does not support standards-based encryption protocols, it may be used in unencrypted mode, or with external TLS or SSH tunnel clients. Therefore, the general procedures used to start an external tunnel may be used with other clients. Note—The RealVNC clients are also available for other OSs such as Linux, Solaris, Mac OS X, Android, and iOS.
VNC viewer 3. Because the connection is not secure, the following message is displayed: Unencrypted connection to the VNC server 4. Click Continue to begin establishing the VNC connection. 5. When prompted, type the VNC password. 6. The VNC session to Server Host OS will be started by using an unencrypted channel. 4.3 Connecting Using RealVNC over TLS/SSL by using ssltunnel The TLS/SSL encryption provides protection against information disclosure on the 12G, 13G, and 14G servers.
To enable TLS/SSL encryption on the iDRAC, set the ‘SSL Encryption’ value in iDRAC to Auto-Negotiate, or a specific minimum key length, 128-bit or higher, 168-bit or higher, or 256-bit or higher. For more information about configuring iDRAC VNC settings by using the GUI, see Configuring VNC by using the iDRAC GUI. For more information on configuring settings using the RACADM command line, see Configuring VNC by using RACADM CLI. 4.3.
4. Load the modified stunnel configuration. Right-click the stunnel taskbar icon, and then click Reload Configuration. The updated configuration will take effect. 5. Connections to the local stunnel port will now be encrypted and forwarded to the iDRAC. 4.3.2 Using RealVNC Client with a local TLS/SSL tunnel To use RealVNC with a local TLS/SSL tunnel: 1. Start the RealVNC Viewer Client application. 2. Connect the client to the local tunnel port by entering the local address as the server address.
application is ‘PuTTY. By first configuring ‘PuTTY' to establish a connection with iDRAC SSH Server, the VNC client will connect to a local socket on the client system which will then securely forward data to the server. Because the SSH tunneling is not compatible with TLS/SSL encryption, set the ‘SSL Encryption’ value in iDRAC to Disabled. The iDRAC SSH server and VNC server must remain enabled.
The connection will appear in the forwarded ports list: PuTTY configuration—Options controlling SSH port forwarding c. Return to the Session page and type IP address of the iDRAC. d. To save the session for a later reuse, type a name in the Saved Sessions box and click Save.
3. Click Open to connect to iDRAC and establish the tunnel. 4. Click Yes to accept the remote server Key. 5. Enter your iDRAC credentials when prompted. An SSH tunnel is now established. 4.4.2 Using RealVNC Client with a local SSH tunnel 1. Start the RealVNC Viewer Client application. 2. Connect the client to the local tunnel port by typing the local address as the server address. For example, 127.0.0.1:5900. Using RealVNC Client with a local SSH tunnel 3. Press Enter or select the list item to connect.
5 Connecting Android with bVNC The bVNC client supports secure VNC connectivity with iDRAC including VNC over SSH, and VNC over TLS. Both free- and donation-supported versions of the bVNC client are available from the Google PlayStore. Dell OpenManage Mobile (OMM) is an application for provisioning, troubleshooting, and monitoring Dell servers. When bVNC is installed, OMM can read and configure iDRAC VNC settings, and launch bVNC with parameters to directly connect to the iDRAC VNC server.
5.2 Connecting using bVNC Prior to connection, the VNC server must be configured as specified in Configuring VNC by using the iDRAC GUI. To configure and establish a connection by using bVNC: 1. Start bVNC from the Android apps list or desktop. 2. In the Connection Type box: a. If using VNC over SSH to connect to a 14G server, select Secure VNC over SSH. b. If SSL Encryption is enabled in the iDRAC VNC Server settings, select Secure VNC over SSL Tunnel. c.
7. Click Connect to start the VNC connection. 8. If using VNC over SSH, you will be prompted to accept the host public key. If TLS/SSL encryption is enabled, the certificate verification dialog box is displayed. Ensure that the certificate information corresponds to the expected iDRAC SSL certificate. 9. After verification, click Yes. The VNC session will be established. Note—You can view the iDRAC SSL certificate in a web browser or iDRAC GUI.
6 Connecting iOS with RealVNC Viewer, Remoter Pro, and Remotix Remoter Pro and Remotix are remote desktop applications available for purchase in the Apple app store. They have support for VNC over SSH allowing secure connections to the 14G PowerEdge servers. RealVNC viewer is a free app available for download, but does not support encrypted connections the PowerEdge servers. Dell OpenManage Mobile (OMM) is an app for provisioning, troubleshooting, and monitoring Dell servers.
6.2 Connecting using RealVNC Viewer for iOS Prior to connection, the VNC server must be configured as specified in Configuring VNC by using the iDRAC GUI. To configure and establish a connection by using RealVNC Viewer for iOS: 1. Start RealVNC by double-clicking the desktop icon. 2. Click the + icon to add a connection to a known system. 3. Type the iDRAC IP and port number. For example, 198.51.100.123:5901. Click Next and add an identifying name, if necessary. Connecting using RealVNC Viewer for iOS 4.
e. Change the VNC Port to the iDRAC VNC port (The iDRAC default is 5901). f. Click Save. Connecting using Remoter Pro 6. Click the session entry, and click Start. The connection will be started.
6.4 Connecting using Remotix Prior to connection, the VNC server must be configured as specified in Configuring VNC by using the iDRAC GUI. To configure and start a VNC over SSH connection by using Remotix: 1. 2. 3. 4. Start Remotix from the desktop icon. Tap the + icon to add a connection to a known system. Select the Connection Type VNC. Configure the connection settings: a. Enter a connection Name b. Set the connection Host to the iDRAC IP such as 198.51.100.123. c.
d. Configure the SSH tunnel i. Select the SSH Tunnel option and choose Add new SSH Server ii. Set the SSH Host to the iDRAC IP iii. Set the SSH username to an authorized iDRAC username iv.
v. Tap Done vi. Select the newly created SSH Server, and then tap the back button e. Tap Done 5. Select the connection in the stored list. The connection will be started.
7 Accessing Virtual Media with VNC active After the VNC session is started using any of the client, local media on a client such as a desktop or laptop can be mapped virtually to the server host OS by using the Virtual Media feature in iDRAC. This feature is useful where data must be made available remotely such as packages to update network drivers on the host OS. 7.1 Starting Virtual Media Redirection 1.
7.2 Mapping Virtual Media To virtually map local media on to a server host OS: 1. On the Virtual Media redirected screen, click Virtual Media. 2. Select the required media mapping: either Map CD/DVD or Map Removable Disk.
The mapped media can be seen in the Host OS: 7.3 Unmapping Virtual Media It is recommended that virtual media be ejected from the target host OS. Alternatively: 1. Click the mapped device in the Virtual Media list in the Virtual Media utility. The Unmap Drive Requested is displayed. 2. Click Yes to disconnect the virtual media.
8 Troubleshooting issues when accessing remote desktop using VNC The following procedures assist in troubleshooting the VNC connectivity. Symptom Unable to connect to the iDRAC from VNC client Possible Causes Resolution Settings are incorrect Ensure that the VNC server is enabled. Verify and/or adjust the remote host IP, port number, encryption settings, and password so the client and server values match. If using VNC over SSH, do not enable TLS encryption.
Technical support and resources • Dell.com/support is focused on meeting customer needs with proven services and support. A.1 Related resources 36 Information on the SSVNC client is available at: http://www.karlrunge.com/x11vnc/ssvnc.html Information on Dell OpenManage Mobile is available from: http://en.community.dell.com/techcenter/systems-management/w/wiki/4965.openmanage-mobile bVNC can be downloaded from the Google Play store at: https://play.google.com/store/apps/details?id=com.