Bits and Chaos

Icon

Between bits and chaos, a sysadmin stands.

Remotize your desktop: NX

Sometimes, you are so lucky to encounter a software so great that you realize that the future is already here.

This is one of my all time favourite software, the NX server from Nomachine. It’s basically a secure terminal server for Linux, with an amazing speed: remotely work over an ADSL line and you barely notice the difference between the local desktop and the remote desktop.

From time to time, the experienced system administrator may find him/herself in the necessity of using a graphical tool on a remote server (the junior administrator, instead, always wants to use a graphical tool for system administration). The first way to get this is using the ssh-X command, but the speed of the remote desktop is quite low: the X Window System was designed for LAN environments, whilst in a WAN scenario round trip times are no longer negligible.

The very experienced system administrator could bypass this problem by using VNC, tunnelling it over a secure connection, and this could give a speed gain. This require some work: installing the vnc server on the remote server, securing it, definining a X startup script, creating an SSH tunnel.

This is where NX comes in place. You can install it on the server (you need the NX client, NX server and NX node pieces, they are packaged for all the most important distributions), and then by using the NX client on your client you have:

  • near local speed;
  • encryption of all traffic;
  • session suspending and resuming.

the latter being a real advantage over the traditional ssh -X solution. NX is release free as in beer, the free server can accept a maximum of two user at the same time, if you need more power and want advanced features like server statistics and node balancing you can buy the premium versions.

NX is in a market niche where the behemoth is Citrix Metaframe. To gain market share, they were smart enough to release the NX libraries with the GPL license. A completely GPL’ed server is being developed by the FreeNX project, I played with it some months ago and I found that it lacked some functionalities (as an example, there was problem with a Microsoft Terminal Server client running inside a remote desktop session), but things may have changed, so you can get it a try.

There’s only one thing to check for after the installation of the NX server: if you have a iptables firewall on the remote server with rules that governs incoming SSH traffic, be sure to add a rule like this one:

iptables -I INPUT 1 -p tcp –source 127.0.0.1 –dport 22 -j ACCEPT

this is required because NX does a proxy authentication with the remote SSH server. If you omit this rule, the NX connection will stall at “Downloading session information” phase.

With such a tool, I was able to administer a scientific cluster working from home, installing software that requires a graphical screen (like Matlab). I’m projecting to install a Network Management Server like Nagios or OpenNMS and to make it listening for incoming HTTP requests only from 127.0.0.1: I will connect to the remote machine via NX and then issue a remote Firefox browser to reach the local web server. With such scheme, I can connect to the remote machine using a certificate or port knocking or both, and even if the Network Management Server would experience a security flaw, it won’t be listening on the Internet.

Congratulations Nomachine! And thanks for bringing us this great tool.

Advertisements

Filed under: virtualization, ,

One Response

  1. Sanjay says:

    The very experienced system administrator could bypass this problem by using tunnelling it over a secure connection.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: