Administrator's Guide HP Session Allocation Manager (SAM) v.2.
© Copyright 2007 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Microsoft and Windows are trademarks of Microsoft Corporation in the U.S. and other countries. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty.
About This Book WARNING! Text set off in this manner indicates that failure to follow directions could result in bodily harm or loss of life. CAUTION: Text set off in this manner indicates that failure to follow directions could result in damage to equipment or loss of information. NOTE: Text set off in this manner provides important supplemental information.
iv About This Book
Table of contents 1 Introduction Key features ......................................................................................................................................... 1 How It Works (Overview) ...................................................................................................................... 2 Overview .............................................................................................................................. 3 HP SAM Software Components ................
Display More (or Fewer) Items Per Page .......................................................................... 28 Move Columns ................................................................................................................... 28 Sort Result List .................................................................................................................. 28 Select More Than One Item ...............................................................................................
1 Introduction HP Remote Client Solutions are designed to support a variety of users’ needs, from the most basic computing tasks to more demanding professional and technical applications, while giving IT greater control over technology resources, simplifying desktop management, increasing agility and, in many cases, reducing total cost of ownership.
How It Works (Overview) HP SAM enables automatic provisioning of remote computing resources to users. Figure 1-1 HP SAM Configuration HP SAM can be configured to enable a user to connect to the desktop session of a particular remote computing resource (identified by its hostname or IP address)—this is known as a static connection. In Figure 1-1 HP SAM Configuration on page 2, HP SAM has been configured to statically connect user Tom to blade PC 1 with an IP address of 15.2.76.100.
Overview 1. When a user on an access device (desktop, notebook, thin client) requests a desktop session, the HP SAM client sends a request to the HP SAM Web server. a. If configured, HP SAM supports server failover. If the HP SAM Web server does not respond, the HP SAM client goes down the list to the next HP SAM Web server. b. The HP SAM client sends the user name and domain information to the HP SAM server. 2. The HP SAM Web server receives the user name and domain from the HP SAM client.
database to determine if a connection to a computing resource can be made and, if so, which computing resources should be accessed. ● HP SAM Registration Service—The HP SAM Registration Service (registration service) runs on the computing resource, and communicates the status of any access device connections to the HP SAM Web Server.
In Figure 1-2 Dynamic Connection Example on page 4, we need to grant user Mai access to computing resources. A pool of three blade workstations has been assembled, each configured to support the role of “abcde”. ▲ We assign Mai a role of “abcde.” See Manage Users on page 32. This means Mai is now authorized to access any computing resource which supports a role of “abcde.
Configuring a Monitor Layout for a User HP SAM allows a user to connect to multiple computing resources, thus running simultaneous RGS or RDP sessions. Blades can be made available either by static assignment to the user or by assignment to roles allocated to the user. Static user/display ID to computing resource mapping allows a specific combination of user ID and client ID to be mapped to a specific computing resource or a specific group of computing resources.
Figure 1-5 Monitor Offset Configuration Example Remote Graphics Software (RGS) RGS is a communication protocol similar to Microsoft Remote Desktop Protocol (RDP). HP SAM allows you to use either RGS or RDP. RGS has a couple of advantages over RDP: ● RGS has advanced graphics capabilities that provide a better video viewing experience that allows users to connect to the desktop of a remote computer over a standard computer network. ● RGS supports multiple monitors configured with an offset layout.
x86-compatible server, such as an HP Proliant server with: ● Processor: Pentium 4, 1.
● Geographic location and/or network architecture ● Fault tolerance decision HP SAM SQL Database Server Software Requirements Minimum: One of the following must be installed: ● Microsoft SQL Server 2000 with Service Pack 3 ● Microsoft SQL Server 2005 HP recommends using Microsoft SQL Server 2000 or 2005 Standard Edition.
● HP Compaq t5520 Thin Client ● HP Compaq t5530 Thin Client If the HP SAM client is preinstalled, you need only to configure the HP SAM client to connect to the appropriate HP SAM Web server. If the HP SAM client is not preinstalled, installation requires that the access device has at least 3 MB of flash memory. Software Requirements Install and enable one of the following operating systems: ● Windows XP Embedded ● Windows CE 5.
Other requirements Create a Service Account The HP SAM Web server must run under a domain user account in which it can execute the HP SAM services on the local server. ● Create the account prior to installation of the HP SAM server application. ● Change this account name and password as infrequently as possible to minimize interruptions to HP SAM. ● Add the account to the local server administrator group on all HP SAM Web servers.
2 Installation For new setup, the recommended order of installation is: ● Install the HP SAM Web Server and SQL Software on page 12 ● Install and Validate the HP SAM Registration Service Software on page 14 ● Install and Validate the HP SAM Client Software on page 16 ● Deploy the HP SAM Registration Service to All HP SAM Computing Resources on page 26 ● Deploy HP SAM Client Software to All HP SAM Access Devices on page 26 Install the HP SAM Web Server and SQL Software The installation package ins
6. Leave the default installation folder as is or click the Browse button to change it. Click Next to continue. 7. Type the SQL server name, the SQL authentication User Name, and Password. The SQL user account needs the ability to create a database on the SQL server for proper installation of the application. If the HP SAM database does not exist, the installation creates one. If the database already exists, then the installation links the Web server to the HP SAM database server. 8.
Configure HP SAM System Settings Log in to the HP SAM administrator console, go to the System Settings tab, and make appropriate changes. See System Settings Tab on page 40 for detailed instructions. Install and Validate the HP SAM Registration Service Software Manually installing this software consists of these steps: 1. Install the HP SAM Registration Service on page 14 2. Create the HP SAM Registration Service Configuration File on page 15 3.
Create the HP SAM Registration Service Configuration File The HP SAM registration service configuration file is an INI text file named hpevent.cfg. The HP SAM registration service tries to locate the configuration file in the order of locations listed below. Once the service locates the file, the service stops the search and extracts the contents.
Computing resources are allocated to the user in the priority order below: ● Available computing resource assigned to this role only ● Available computing resource assigned to multiple roles, with this the primary role ● Available computing resource assigned to multiple roles, with this the non-primary role NOTE: If at any time the configuration file is changed on the computing resource, you must restart the service for the changes to take effect.
Table 2-1 HP SAM Client Comparison Features Internet ExplorerBased Windows XP Embedded-Based Windows CE 5.0Based Blade Workstation Client Embedded OS Operating System support Windows 2000 Windows 2000 Windows CE 5.
Windows XPe-Based Client To install the HP SAM client on a Windows XPe-based thin client or on a desktop/notebook PC: 1. Log in to the access device under an account with local administrative rights and run the scw32xx ##.msi file (## is the software version) to install the Windows XP-based client. Replace xx with: ● EN = English ● JA = Japanese ● FR = French ● DE = German ● KO = Korean ● ZH-CN = Simplified Chinese 2. Follow the installation wizard. 3.
3. Click the Options button. 4. Change connection settings, if needed. 5. Click the Save Settings button. 6. Select Desktop from the Save in list. 7. Click Save. You are now able to start the client from the desktop. NOTE: You can set additional settings by manually editing the .SAM file. Refer to Configuration Settings on page 20 for a list of the options available for the Windows CE-based client.
Configuration Settings Options There are additional options to configure the settings. You can set these options by manually editing the .SAM file. The following list provides supported keys and values within the [HPRDC] section. ● Gateways—string value. Points to the section that lists HP SAM Servers. ● DefaultPolicy—string value. This is the policy that should be selected by default. ● DefaultDomain—string value.
Default value is 0 (all bits off). For example, to turn off the Cancel and Minimize buttons and leave the Close button on, set the value to 3. ● DisplayShutdown—integer value, 0 or 1. When set to 1, an Action button is added to the client user interface. This is the same button created by the DisplayShutdown, DisplayRestart, and DisplayLogoff options. If the button already displays from another option setting, the Shutdown option is added to the button drop-down.
Smart Card Settings NOTE: series. Smart card settings are not valid for Windows CE-based client or Blade Workstation Client ● SmartCardAlways—integer value, 0 or 1. Allows user to use smart card to enter credentials and log in. If UiMode = 0 or 1, user has option of using smart card to log in. If UiMode = 2, user must log in with smart card. See “UiMode” in User Interface Customization Settings on page 22. Default is 1 (allow). ● SmartCardRequiresClick—integer value, 0 or 1.
● EnablePassword—integer value, 0 or 1. When set to 1, shows the Password box on the access device user interface. When set to 0, the password box is not available. Default is 1. ● UILanguage—language identifier. Supported identifiers include: ◦ EN = English ◦ FR = French ◦ DE = German ◦ JA = Japanese ◦ KO = Korean ◦ ZH-CN = Simplified Chinese If the identifier is not supported or the property is not present in the configuration file, the application defaults to US English.
24 ● KeyRepeatEnabled—integer value, 0 or 1. If 1, disables key repeat suppression normally required by RGS to keep keys in hot key sequences from repeating when held down. This value is only supported for RGS connections. Default is 0. ● USBActiveSession—integer value, 1–12. Selects session to receive USB redirection. This value is only supported for RGS connections. ● MapUSB—integer value, 0 or 1. If 1, allows USB redirection. This value is only supported for RGS connections. Default is 0.
● RgsWarningTimeout—integer value. The timeout in milliseconds used to detect and notify the user of a network disruption. For more information, see rgreceiver.network.timeout.warning in the RGS documentation. The default value is the user interface value of 2000 milliseconds - two seconds. The user interface displays this value in seconds. This value is only supported for RGS connections. ● RgsErrorTimeout—integer value. The timeout in milliseconds used to detect and disconnect an inactive connection.
NOTE: If RGS is the communication protocol, when multiple monitors are attached to the access device, this value is ignored and spanning is enabled by default. For more information about RGS, refer to your Remote Graphics Software documentation. Deploying the HP SAM Client Application Various methods are available to deploy the client application to multiple access devices. Following are two examples: ● ● Use software deployment tools like HP Rapid Deployment Pack. a.
Various methods can be used to deploy the Windows XPe-based or Windows CE 5.0-based HP SAM client to the access devices. Following are two examples. ● ● Use software deployment tools such as HP Rapid Deployment Pack. a. Install the HP SAM client on the access devices. b. Update the client hprdc.sam file to connect to the HP SAM server. Post the HP SAM Windows XPe-based client installation file and/or the HP SAM Windows CE 5.0based client installation file on a Web site or fileshare.
3 Administration Log In In the Internet Explorer Address bar, enter in the HP SAM Web server name with /Manage added to the URL (for example, https://HPSAMservername/Manage). If SSL is configured and a certificate-related security pop-up message is displayed, click Yes. Once you get to the log-in page, enter username, password, and click the Sign In button. You have two ways to enter in your username. It can be entered as domain\username or your User Principal Name (UPN) (yourname@yourcompany.com).
Select More Than One Item The top left side of the result grid includes a check box. ● To select all items on all pages, not just the page shown, select this check box. ● To clear all boxes on all pages, not just the page shown, clear this check box. Managing the HP SAM Administrator Access List The Domain Administrator and Domain Users in the HP SAM server Local Administrator Group are automatically members of the HP SAM Administrator Group.
NOTE: To make future changes, go to Active Directory and add or remove users from those groups. Remove Users From the HP SAM Administrator Group To remove users from the HP SAM Administrators list, navigate to the Users and Roles > Manage users. 1. In the Filter Options section, from the Role list select the [Administrator]. Administrator group names are encased in square brackets, for example [Admin Group]. 2. Click Search. 3. Select the check box next to the appropriate names. 4.
● Enabled column: ◦ If selected, the role is available for allocation. ◦ If there is no check mark, then all blades are unavailable for user connection through HP SAM within the scope of that role. ◦ To change the setting, select or clear the check box, and then click Save. ◦ If the setting check box was cleared: - New user connection requests to this role are denied by the HP SAM Web server. - Current active connections are left as is.
3. To change values for the different categories, select a category from the Category list, and in the Permissions area, change the permissions as necessary. Repeat this process for each category you want to modify. 4. Click Save. To delete an Administrator group: 1. Select the group or groups to delete. You can delete more than one group using this procedure. 2. Click Delete and click OK to confirm. Manage Users By default, the search shows all users.
6. If you want to assign the user to an Administrator group, select the group from the Administrator Group list. 7. Double-click roles or use the arrows between the Available and Selected boxes to move the roles. Place all roles you want to assign to the selected user in the Selected box. 8. Click Save to save your changes. Assign Resources This option allows you to assign a specific resource (such as a blade PC) to a user and to configure the monitor layout for a user.
6. To remove everything on this row: dedicated resources, role, and backup resources, click Remove in the Operation column. 7. To remove the backup resource only: a. Click the backup role or resource in the Backup column. b. If removing a role, click the Role button, and then clear the check box of the role you want to remove. c. If removing a resource, click the Resource button, click Search, and then clear the check box of the resource you want to remove.
To Delete a User Deletes a user from the system. To delete a user: 1. Select the check box next to the appropriate name(s). 2. From the Operation list, select Delete, and then click the Go button. Add New Users For any role that is not public, users must be in the access list to request a computing resource (such as a blade PC) from that role. You can add the user as an individual, in a security group, or in an organizational unit.
Resources tab The following sections explain what is available under the Resources tab. Manage Resources By default, the search shows all computing resources (such as blade PCs). You can narrow the list of resources shown by using the filter options. The filter option is based on “AND” combinations, so the more boxes you enter, the narrower the list of resources shown.
Operations ● Delete—Delete the resource from the system. Do this to clean up the database. You can delete the computing resource only if its current status is Offline. ● Disable—Prevent the resource from further allocation. If connected or disconnected, the current user session is unaffected. If disconnected, the user is not able to log back into the computing resource. ● Enable—Allow the resource to be allocated. ● Logoff User—Force logging off the current user on the resource.
To Change an Access Device 1. Type one or more parameters and click Search, or click Search to find all registered access devices. 2. If you want to change the friendly name for the access device: 3. 4. a. Click the link in the Friendly Name column, and then type a new friendly name for the access device in the Access Device window. b. Click Save. If you want to change the monitor layout id for the for the access device: a.
To Delete a Monitor Layout 1. Select the check box next to the appropriate monitor layout. 2. Check Delete and then click OK. Policies Tab Policy management allows administrator to override the user’s HP SAM client settings. In general, the user is allowed the flexibility to customize the connection settings on the client side. If there are specific settings that the user must always connect with, then the administrator must use the Policies tab to define the forced settings.
Table 3-1 Effective Hierarchical Policy Example (continued) Parameter Global Role OU SG1 SG2 User Effective 3 ON OFF ON OFF ON Not Assigned OFF P6 1 The order of policy assignment is User (highest) > Security Group > OU > Role > Global Policy (lowest). Individual parameters assigned at the User level override parameters set at the Group level, and so forth.
General This page allows the administrator to define the settings for the entire system. Make the appropriate change(s) and click Save to apply. ● History—If selected, the system records and retains historical data for reports for the number of days selected in the Keep raw data for list. Use this option to limit the history database size. Microsoft SQL 2000 MSDE and 2005 Express Edition include a database size limit of 4 GB.
- Reported Subnet—The subnet to which the computing resource used to register/ communicate with HP SAM. - Specified Subnet—If both the HP SAM server and the computing resource each have two NICs communicating through two independent subnets, then it is necessary to specify which subnet the access device needs to use to make a connection request. NOTE: HP SAM allows you to enter in only one subnet range. If the network environment is complex, then you must use DNS/Computer name instead of IP address.
◦ Auto-connect—Select Enabled so the client automatically connects when the user inserts the smart card. ◦ Cryptographic service providers (CSP)—Type the name of the CSP that supports the smart card solution you select when configuring smart card login. This value represents the identifier of the cryptographic service provider (CSP) to use. Use the Create, Edit, or Delete buttons to take the appropriate action for this value.
● Scheduled Time—Select the time when the synchronize operation is to run. Check as many as appropriate. ● Scheduled Day—Pick one of the options below. ● ◦ Daily—Type the number of days after which the event is to recur. ◦ Weekly—Type the number of weeks after which the event is to recur and on which day(s) of the week it is to recur. Clear Options ◦ Delete entries older than—Type the number days to keep entries and delete if older.
● Role Public—Narrow the data to all roles that have no user access list restriction (Yes), restricted access role (No), or ignore this flag by selecting Both. ● Roles—See data for the selected roles only. If you choose this option, the system ignores the Role Enabled and Role Public boxes above. Display Options ● ● Threshold Percentages—On the report you can highlight the data if it exceeds the number entered here. ◦ Minimum Available—If data is below the value entered, the report highlights it.
Display Options ● Threshold Percentages—On the report you can highlight the data if it exceeds the number entered here. ◦ Minimum Available—If data is below the value entered, the report highlights it. ◦ Maximum Consumed—If data is above the value entered, the report highlights it. ● Time Interval—Chart the data where the scale is based on hour, day, week, or month. ● Include raw data—If the raw data is also wanted in the report, check the Include raw data box.
● Role Public—Narrow the data to all roles that have no user access list restriction (Yes), restricted access role (No), or ignore this flag by selecting both. ● Roles—See data for the selected roles only. If you choose this option, the system ignores the Role Enabled and Role Public boxes above. Display Options ● Open in New Window—If selected, the result data are shown in a new browser window. Output Report ● Role Name—Name of role.
Use the following steps to enable the HP SAM client to log in using a smart card. 1. Attach the smart card reader to the access device. 2. Install the smart card reader driver onto the access device. 3. Install the smart card cryptographic service provider (CSP) software onto the access device that supports your smart card solution. This software is required to read the contents of the smart card. 4. Install the HP SAM client software onto the access device. 5.
A Firewall rules This appendix lists the rules needed for communication between the various components. The values in parenthesis represent ports, with ANY meaning any ports on that component.
SQL Server (only if not running on the same machine as the Web server) ● Incoming: ◦ ● Outgoing: ◦ 50 From Web server (TCP/ANY) to SQL_Server (TCP/1433) None Appendix A Firewall rules
B Frequently Asked Questions Question Answer Why do some users on the HP SAM client have to select a role Users who are in more than one role need to select the role to to connect and others do not. connect. Those users who are in only one role do not see this screen. A user assigned a single dedicated resource does not have to select a role. Also, when Monitor Layout IDs and when Multi-Session Autoconnection are used, the user is not prompted for a role.
Question Answer Why are my RDC settings not working as I set it on the client side? The settings on the client side may have been overridden by the forced settings on the HP SAM server in the Policy tab. Question Answer Why does my user have to type the password twice every time to log into a computing resource? This should not happen. The Active Directory policy is requiring the user to log in to the blade interactively.
Question Answer those computing resources was off-line, disconnected, or online when the SQL server went down, then you must find those computing resources and add them back to the HP SAM system. To do that, stop and restart the registration service on those units. When in doubt, stop and restart the registration service on all of the computing resources. This action has no impact on current users active on the computing resources.
Question Answer stateConnectionString="tcpip=127.0.0.1:42424" sqlConnectionString="data source=127.0.0.1;Trusted_Connection=yes" cookieless="false" timeout="110" /> If you increase the value above 120 minutes, you also need to modify the WEB.CONFIG file under the manage subfolder (usually c:\Program Files\Hewlett-Packard\SAM\manage). Use Notepad to edit the file. Modify the time-out value in the line as below from 120 to the new value. PAGE 61Question Answer Why I do see line graphs in Resource Capacity Consumption Report in the HP SAM administrator console in some instances and not in other instances? Make sure the browser language you are viewing the report is the same as the HP SAM Web server operating system language. For example, if you are viewing the HP SAM administrator console in Japanese, the HP SAM Web server operating system language must be Japanese.
C Registration Service Error Codes The following is a list of possible errors which the registration service writes to the event log file on the computing resource. If you encounter a critical issue on the blade, note the error code and communicate it to the support team. BC0001—Internal error accessing WMI. Contact your HP SAM support team. BC0002—Internal error accessing WMI. Contact your HP SAM support team. BC0003—Internal error failed to spawn threads, usually due to low memory.
BC0024—Internal error. Contact your HP SAM support team. BC0025—Internal error. Contact your HP SAM support team. BC0026—Error communicating with the Terminal Services subsystem. Contact your HP SAM support team. BC0028—Failed to set up UDP server port. Check if another program is already using the same UPD port (usually port 47777 by default). BC0029—Failed to receive UDP data from network (recvfrom() failed). Check your network and/or firewall settings.
BC0104—Failed to set up properties for listening UDP socket. Contact your HP SAM support team. BC0105—(Warning) this resource has no roles defined. Without a role, the computing resource is not available for allocation. BC0106—(Warning) Internal service error in communicating with the SCM. May affect how the Service Control Manager determines if the service has been started or stopped. Contact your HP SAM support team. BC0107—Failed to setup timer. Internal error, possibly due to low memory conditions.
D Glossary Active Directory—A Microsoft Windows directory service that stores an enterprise’s information and settings in a central, organized, accessible database. Active Directory allows administrators to assign policies, deploy programs, and apply critical updates to an entire organization. Client—An access device that sends requests to the HP SAM Web server to get an available computing resource to which to connect. CSP—Cryptographic service provider.
SAM—HP Session Allocation Manager. The software system described in this document. Session Persistence—Ability for the user to connect to the same session without having to log off. Smart card—A pocket-sized card that contains embedded circuits that can provide security services, such as the ability to securely store password information. UPN—User Principal Name. A user-friendly name in email address format.
Index A access device adding manually 37 changing 38 deleting 38 requirements 9 access list 29 account, service 11 Active Directory 11, 43 ActiveX controls 17 adding access device, manually 37 monitor layout 38 organization units to the Administrator role 29 security groups to Administrator role 29 users 35 users to Administrator group 29 Administrative permissions 31 rights required to install 11 Administrator access list 29 access, granting 13 Console tabs 30 Animation 24 assigning backup resources 33 mon
user 35 users from Administrator group 30 deploying HP SAM client application 26 HP SAM client software 26 Registration service 26 to multiple clients 26 desktop or notebook PC hardware requirements 10 software requirements 10 displaying items per page 28 DisplayLogoff 21 DisplayRestart 21 DisplayShutdown 21 dynamic connection 2 dynamic resource, setting up 4 E Enable Access box 42 EnableOptionsButton 22 EnablePassword 23 EnablePublicRoles 20 EnableServer 23 F Failover 20 failover computing resources 33 ser
P Policies 20 Policies tab 39 policy assigning 32 creating or updating 40 effective, viewing 40 policy entries 23 policy, hierarchical, table 39 Protocol 23 R RDP 2 Referral Search box 43 Registration service configuration file 15 configuration file name 15 deploying to all blades 26 error codes 56 hardware requirements 9 installing 14 software requirements 9 software, installing 14 software, validating 14 starting 16 testing 16 Remote Desktop Protocol 2 Remote Graphics Software 2, 7 removing access device
URL, Internet Explorer-based client 17 USBActiveSession 24 user deleting 35 interface 28 user interface settings 22 User name field 42 User Sign-in Time box 41 users adding 35 managing 32 removing from Administrator group 30 users and roles 30 V validating, HP SAM Registration service software 14 view details 36 W Wallpaper 24 Web client 42 Web server firewall rules 49 hardware requirements software requirements WebServerList 15 Width 24 wildcard characters 28 Windows CE-based client Windows XPe-based clien
