Administrator's Guide HP Session Allocation Manager (HP SAM) v.3.
© Copyright 2007–2010 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Microsoft and Windows are trademarks of Microsoft Corporation in the U.S. and other countries. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty.
About This Book WARNING! Text set off in this manner indicates that failure to follow directions could result in bodily harm or loss of life. CAUTION: Text set off in this manner indicates that failure to follow directions could result in damage to equipment or loss of information. NOTE: Text set off in this manner provides important supplemental information.
iv About This Book
Table of contents 1 Introduction ...................................................................................................................... 1 What's New in This Release ...................................................................................................... 1 Key Features ............................................................................................................................ 2 Overview .............................................................................
Grant Users HP SAM Administrator Access ................................................................ 28 Configure HP SAM System Settings ........................................................................... 28 Configure Secure Socket Layer (SSL) .......................................................................... 29 Install and Validate the HP SAM Registration Service Software .................................................... 29 Install the HP SAM Registration Service ....................
Resource Reservations (AKA Access Restrictions) ........................................................................ 82 Authenticate Before Allocation ................................................................................................. 83 Appendix A Firewall Rules ................................................................................................. 85 Web Server ......................................................................................................................
viii
1 Introduction HP Remote Client Solutions are designed to support a variety of users’ needs, from the most basic computing tasks to more demanding professional and technical applications, while giving IT greater control over technology resources, simplifying desktop management, increasing agility and, in many cases, reducing total cost of ownership.
● Control of Linux Resources from the HP SAM administrative console: ◦ SAM 3.2 adds support for remotely performing the following operations on Linux-based resources from the Resources page of the HP SAM administrative console: —Shutdown —Restart —Logoff ● ◦ These operations were previously only functional for Windows-based resources. ◦ The “Send Message” operation is still not supported on Linux resources. ◦ The SAM 3.
Overview HP SAM enables automatic provisioning of remote computing resources to users. Figure 1-1 HP SAM Configuration HP SAM can be configured to enable a user to connect to the desktop session of a particular remote computing resource (identified by its IP address or hostname)—this is known as a static connection. In Figure 1-1 HP SAM Configuration on page 3, HP SAM has been configured to statically connect user Tom to blade PC 1 with an IP address of 15.2.76.100.
How HP SAM Works 1. When a user on an access device (desktop, notebook, thin client) requests a desktop session, the HP SAM client sends a request to the HP SAM Web server. a. If configured, HP SAM supports server failover. If the HP SAM Web server does not respond, the HP SAM client goes down the list to the next HP SAM Web server. b. The HP SAM client sends the user name and domain information to the HP SAM server. 2.
Overview 5
HP SAM Software Components The following are the primary components of HP SAM. ● HP SAM Client—The HP SAM Client runs on the access device and displays the graphical interface employed by the user to request a connection from a client computer to a computing resource. When the user requests a connection, the HP SAM client communicates this request to the HP SAM Web Server for execution.
Common Tasks Setting up HP SAM 1. Install HP SAM. See Installation on page 25. 2. Add users. a. Add new users. See Add New Users on page 61. b. Create administrative groups, assign users, and customize permissions. See Manage Administrative Permissions on page 56. 3. Create a policy. See Create or Update a Policy on page 69. 4. Create a role. See Manage Resource Roles on page 54. 5. Assign computing resources or roles to the users. See Manage Users on page 57.
connects her access device to one of the three blade workstations (presuming one is available) supporting that role.
Setting up a User with Static (Dedicated) Resources Dedicated (static) resource assignment allows one or more specific computing resources to be assigned to a user and it allows one or more computing resources to be assigned as backup. Support for Static roaming allows users to work from other locations. The differing display configurations can be stacked on the client desktop to provide full access with fewer monitors.
Configuring a Monitor Layout for a User HP SAM allows a user to connect to multiple computing resources, thereby creating simultaneous remote sessions. Resources can be made available either by static assignment to the user or by assignment to roles allocated to the user. Mapping a static user/display ID to computing resource(s) allows a specific combination of user ID and client ID to be mapped to a specific computing resource or a specific group of computing resources.
Figure 1-5 Monitor Offset Configuration Example Common Tasks 11
2 Requirements HP SAM Hardware and Software Requirements Architectural Considerations and Best Practices for Setting up an HP SAM Environment Server Sizing In general, the HP SAM Server can handle a theoretical maximum user and resource population of 40,000. ● This is based on the assumption that no more than 1% of users will attempt to connect within the same 30-second window.
Most Administrators already know how to size a SQL database based upon amount of data captured, however, simultaneous HP SAM logons and logoffs can impact performance because these events have to be written to the database. Therefore, the platform sizing for the SQL should take this into account as user populations grow. HP SAM is a multi-tier application and the actual user never logs into the database directly at any time. HP SAM only needs one logon, which is the HP SAM service account.
If you want to avoid continuing to increase memory and processor cores on the HP SAM Server, create multiple gateway servers and split user populations to limit the number of users using a particular gateway as their primary target. You may also split resources between HP SAM servers to distribute the load between servers.
Domain Environment Requirements for HP SAM ● HP SAM is supported in domains whose domain controllers are running Windows 2003 Server or later. ● HP SAM is supported in domains with Domain Functional Level of Windows 2003, Windows 2008, or Windows 2008 R2 Server. NOTE: If the domain is using Windows 2008 domain functional level, you must install Service Pack 1 for Microsoft .NET Framework on the HP SAM server. ● HP SAM only supports domains in a single forest.
HP SAM Web Server Software Requirements NOTE: The HP SAM Web server software is not supported on a server running Windows 2008 R2 Server. This operating system is not available as a 32-bit edition and the HP SAM Web server software cannot run on a 64-bit OS.
HP SAM Hardware and Software Requirements 17
18 Chapter 2 Requirements
HP SAM Hardware and Software Requirements 19
HP SAM SQL Database Server Software Requirements Minimum: One of the following must be installed: ● Microsoft SQL Server 2005 Enterprise, Standard, or Express Edition, with Service Pack 1 or Service Pack 2 ● Microsoft SQL Server 2008 Standard or Enterprise Edition ● Microsoft SQL Server 2008 R2 Standard or Enterprise Edition HP recommends using Microsoft SQL Server 2005 or 2008 Standard or Enterprise Edition.
NOTE: HP SAM 2.2 and earlier clients are not able to connect to Linux resources. ● Linux RHEL5 64 bit (update 2 or later) ● Linux RHEL6 64-bit Install and enable one or both of the following: ● RGS Sender 5.1.3 or higher with Single Sign-on enabled ● Terminal service enabled—RDP Access Device Requirements The following sections provide information about the requirements for access devices.
Mobile Thin Client Hardware Requirements ● HP Compaq 6720t Mobile Thin Client (with Windows XP Embedded operating system) ● HP Compaq 2533t Mobile Thin Client (with Windows XP Embedded operating system) ● HP Compaq 4410t Mobile Thin Client (with Windows Embedded Standard (WES) operating system) Desktop or Notebook PC Software Requirements Install and enable one of the following operating systems: ● Windows XP Professional, 32-bit or 64-bit, with Service Pack 2 or 3 NOTE: The HP SAM Client is unable t
Software Requirements ● Windows XP Professional, 32-bit or 64-bit, with Service Pack 2 or 3 ● Windows Vista, Business and Enterprise, 32-bit or 64-bit with Service Pack 1 or later ● Windows 7, Professional or Enterprise, 32-bit or 64-bit ● Linux RHEL4, 32-bit or 64 bit (update 5 or later) ● Linux RHEL5, 32-bit or 64 bit (update 2 or later) ● Linux RHEL6, 32-bit or 64-bit Other requirements Create a Service Account The HP SAM Web server must run under a domain user account in which it can execute
NOTE: Active Directory running on Windows Server 2000 Domain controllers is not supported.
3 Installation Order of Installation New Installation For new setup, the recommended order of installation is: 1. Install the HP SAM Web Server and SQL Software on page 26 2. Install and Validate the HP SAM Registration Service Software on page 29 3. Install and Validate the HP SAM Client Software on page 33 4. Deploy the HP SAM Registration Service to All HP SAM Computing Resources on page 49 5.
You should see Command(s) completed successfully In the messages section. 2. 3. Shrink the database: a. Open SQL Server Management Studio and expand the Databases folder. b. Right-click on SAM database, and select Tasks > Shrink > Files. c. In the File type list, select Data. d. In the Shrink action section, select Reorganize pages before releasing unused space. e. Set the Shrink file size to the default 100MB. f. Click OK. Verify that you have a 100MB SAM_data.mdf file.
4. For HP SAM Web server installation, the installer asks for a user account. The user account is the owner (known as the HP SAM service account) of the HP SAM website and the HP SAM server service.
14.
Configure Secure Socket Layer (SSL) SSL: You may configure SSL on the HP SAM web server (which includes installing a certificate) to encrypt your password and browser session when you log onto the HP SAM administrative console. ● Manage: Access to the HP SAM administrative console ● Webclient: Communication line between web client and HP SAM server Only certain virtual directories under the main HP SAM website can be set to Require secure channel (SSL).
● After you customize the configuration file (required—see Create the HP SAM Registration Service Configuration File on page 30), rename (or Save As) the sample file to hpevent.cfg. ● Start the HP SAM registration service by going to Control Panel > Administrative Tools > Services, and start the service under the name HP SAM Registration Service. For Linux, enter the following command in the terminal: /etc/init.d/daesvc start. ● If the computing resource has a firewall, enable the ports below.
;DnsDomain=ExampleDomain.com [WebServerList] server1.yourdomain server2.yourdomain [RolesList] sample-role-1 sample-role-2 [AssetGroupList] sample-asset-group-1 sample-asset-group-2 [WebServerList] The [WebServerList] section lists one or more HP SAM web servers. Each HP SAM web server (primary and failover) is listed, one per line. The service uses this list in the order provided.
[AssetGroupList] The [AssetGroupList] section lists zero or more asset groups to which the computing resource can belong. The HP SAM administrator or domain administrator has full rights to all Asset Groups in the HP SAM server. Asset Groups allow full HP SAM Administrators to limit or hide objects (resources, users, etc.) that other administrators are allowed to see and manage. For more information, see Manage Asset Groups on page 55.
Test the HP SAM Registration Service Log onto the HP SAM administrative console, click on the Resources tab, and search for the computing resource within the role it was assigned. ● If the computing resource was not found, check the firewall settings and make sure that the service was started on that computing resource. ● If the computing resource is found, select the Resources tab and select Synchronize from the Operation list and click Go.
Table 3-1 HP SAM Client Comparison Features Internet Explorer-Based Windows XP EmbeddedBased Blade Workstation Client Embedded OSBased Linux-Based Operating System support Windows XP Windows XP HP ThinConnect Windows XP 64bit Windows XP 64bit Blade Workstation Client Embedded OS Windows Vista, 32-bit and 64-bit Windows Vista, 32-bit and 64-bit Windows 7, 32-bit and 64-bit Windows 7, 32-bit and 64-bit Windows XP Embedded Windows XP Embedded Windows Embedded Standard (WES) Windows Embedded
NOTE: HP recommends that you add the HP SAM web server to the Trusted Sites list. On the access device, open Internet Explorer and go to Tools > Internet Options > Security tab. If a firewall is installed, you need to make appropriate changes to allow the HP SAM server client through. For example, if HP Sygate Security Agent is installed, add a rule to allow port 3389 for application IEXPLORE.EXE. To use the Web Client on an access device running Windows XP, 64-bit, you must use Internet Explorer, 32-bit.
Customization Steps (Recommended) 1. Start up the HP SAM client. 2. Type the HP SAM web server name. 3. Click the Options button. 4. Change appropriate connection settings. 5. Click the Save Settings button. 6. Save the config file (hprdc.sam) to the default location, if possible (this may be locked down on some thin clients). When you launch the HP SAM client, your saved settings will take effect. Additional settings can be set by manually editing the .SAM files (configuration files). 1.
5. Change appropriate connection settings. 6. Click the Save Settings button. Click OK in the message confirming that the settings were saved. 7. Select \etc. 8. Click Save. 9. Click the Connect button to connect 10. If the HP SAM client is closed, it should start automatically. If it does not start, right-click and select Remote Graphics. Additional settings can be set by manually editing the .SAM files (configuration files). 1. The HP SAM connection client searches first for the user-specific .
Red Hat Enterprise Linux (RHEL) Client To install the HP SAM Linux Client on a system running RHEL version 4 or 5: 1. Log onto the access device using an account with root permissions. 2. Extract the Linux Client tar.gz package onto the system by executing the following terminal command: tar xzvf . 3. Run the install script by executing: ./install.sh. 4. After the software is installed, verify the program has been installed into /opt/hpsam. Customization Steps (Recommended) 1.
● DefaultPolicy—string value. This is the policy that should be selected by default in the client’s Load Predefined Settings list on the Other tab of the Options section. It is not related to HP SAM policies set in the HP SAM administrative console. ● Autodial—integer value, 0 or 1. If value is set to 1, the program automatically tries to connect on startup, without waiting for the user to type logon information. Default value is 0. ● DefaultUsername—string value.
40 ● ConnectionBar.EnableCloseAll—integer value, 0 or 1. When set to 1, enables the Disconnect All button on the connection bar. The default value is 1. ● ConnectionBar.EnableReconnectAll—integer value, 0 or 1. Default is 1 (enabled). Set to 0 to hide (disable) the Reconnect All button on the connection bar. ● ConnectionBar.EnableDisconnectInstance—integer value, 0 or 1. When set to 1, enables the Disconnect button on the connection bar for each session. The default value is 1. ● ConnectionBar.
NOTE: The options to log off or reboot from the connection bar are disabled by default in the Global policy. The following requirements must be met for Logoff and Restart: —A certificate from the domain certificate authority must be installed on the HP SAM website to allow usernames and passwords to be transmitted to the server. —The HP SAM service account must have local administrator privileges on the resource to be granted permissions to reboot or log off a user from the blade. ● ConnectionBar.
● SmartCardUidOid—string value. The OID associated with the entered SmartCardUidType. Not all Types require an OID. An entry is required is SmartCardUidType=8. Default is blank. ● SmartCardAutoDisconnect—integer value, 0 or 1. If set to 1, automatically disconnect the session when the smart card is removed. Note that Active Directory policy settings may affect the actual behavior of this property. Active Directory options include leave as is, password lock, and log off.
NOTE: The UILanguage specified must either be the same language as the HP SAM client application that you have installed or English. If you installed the English HP SAM client application, do not change the value to any other language. To minimize disk space, the English HP SAM client application does not contain any other HP SAM client language DLL. ● EnableServer—integer value, 0 or 1. If set to 1, the HP SAM Server box on the main application dialog is visible. If set to 0, the field is not displayed.
Policy Entries You can set policy entries by manually editing the .SAM file. These settings must be located in a policy section of the .SAM file, for example, [Local Area Network] or [saved settings]. These values only specify the default settings in the UI. Values changed by the User in the UI will take effect. 44 ● Protocol—integer value, 0, 1, or 3. Specify which protocol to use for connection. RDP is 1, RGS is 3. A value of 0 (automatic) uses autodetected settings, with a preference of RGS over RDP.
● Themes—0 or 1. If 1, Windows XP themes are shown in the session. This value is only supported for RDP connections. Default is 1. ● Animation—0 or 1. If 1, menu animation is shown in the session. This value is only supported for RDP connections. Default is 1. ● Caching—0 or 1. If 1, RDP bitmap caching is enabled. This value is only supported for RDP connections. Default is 0. ● AutoReconnect—0 or 1. If 1, RDP reconnection is enabled. Not recommended for an HP SAM solution.
● ClearType—integer value, 0 or 1. When set to 1, support for Font Smoothing is enabled in an RDP6 session. This option is ignored for RDP5, RGS, and rdesktop. Set to 0 to disable. Default value is 0. ● ComposedUI—integer value, 0 or 1. When set to 1, support for Vista Aero interface is enabled (Desktop Composition). This requires RDP6 and is ignored for RDP5 and RGS. Additionally, various hardware and operating system requirements must be met before the Vista Aero interface can be shown.
Global and Local Client Configuration Files This feature allows administrators to 'lock down' certain options, while allowing other options to be altered by users. There are three levels of files: ● Global: hprdc_admin.sam ● Local: hprdc_accessdevice.sam ● Personal: hprdc.sam The order of precedence is: ● Personal file is read first. ◦ XPe: Anywhere on file system (double-click hprdc.
/opt/hpsam/hprdc_admin.sam Legal Banner This allows a legal disclaimer to be displayed before logon. Name the file disclaimer. and copy the file into the appropriate directory (create the folder, if necessary). The following are the default paths: ● ● Access Device Client: Installing the legal banner on an access device causes the banner to be displayed on that access device only. Name the file disclaimer.
de_DE.UTF-8 German -- Deutsch it_IT.UTF-8 Italian -- Italiano ja_JP.UTF-8 Japanese ko_KR.UTF-8 Korean nb_NO.UTF-8 Norwegian -- Norsk pt_PT.UTF-8 Portuguese -- Português pt_BR.UTF-8 Portuguese-Brazil -- Português do Brasil es_ES.UTF-8 Spanish -- Español es_MX.UTF-8 Spanish, Latin America -- América Latina sv_SE.UTF-8 Swedish -- Svenska de_CH.UTF-8 Swiss-German -- Deutsch (Schweiz) tr_TR.
Deploy HP SAM Client Software to All HP SAM Access Devices To deploy the HP SAM Internet Explorer-based client, instruct your users to go to the HP SAM server website(s) that you have set up. If the access device is accessing the HP SAM server for the first time, the access device needs to install two ActiveX controls (HP SAM Web Client Utility Class and Microsoft RDP Client Control). The installed location for these controls are in the %SystemRoot%\Downloaded Program Files\ folder.
4 Administration Log In In the Internet Explorer address bar, enter in the HP SAM web server name with “/manage” added to the URL (for example, http://HP SAMservername/manage). Use “https:” if the HP SAM administrative console has been set to require SSL. If SSL is configured and a certificate-related security pop-up message is displayed, click Yes. Once you get to the logon page, enter username, password, and click the Sign In button. You have two ways to enter in your username.
Managing the HP SAM Administrator Access List The Domain Administrator, Domain Users in the Administrators group on the domain controller, and Domain Users in the HP SAM server Local Administrator Group are automatically members of the HP SAM Administrator Group. To add another user to the HP SAM Administrator group, see To Assign Attributes on page 57. Add Individual Users to the HP SAM Administrator Group If you are adding only a few users, add the names directly to the HP SAM Administrator group. 1.
Add Security Groups or Organizational Units to the HP SAM Administrator Group To add many users: 1. Leverage Active Directory services by adding the names in Active Directory under a security group or organizational unit. 2. Go to the Add New Users page. 3. Add the security group or organizational unit directly to the HP SAM Administrator group. a. In Search By, select Organizations (OU) or Security Groups. b.
HP SAM Administrative Console Tabs Home Tab When you log onto HP SAM, the Home tab page is the default. HP SAM shows a snapshot of current resource status grouped by roles, as a convenience to the administrator. Users and Roles Tab The Users and Roles tab facilitates the management of roles and user access list. Manage Resource Roles All roles, as created by computing resources when they self-registered or created with the Create button, are shown. ● Role column: A list of all roles.
● Public column: ◦ If selected, the role is available for all users in Active Directory. ◦ If not selected, then the role is only available to user(s) in that particular role access list. ◦ To change the setting, click the link for the role, select or clear the check box in the dialog box, and then click Save. ● Access Restriction column: Shows a summary of the resource reservations that have been added to the role. ● Create button: Click to create a new role that you can assign to resources.
Manage Administrative Permissions NOTE: You must have full HP SAM Administrator permissions to: —Create, modify, or delete an Administrator group. —Assign users to an Administrator group. The following have this permission: —HP SAM Server administrators —Domain administrators —Domain users assigned to “Administrator” Administrator group in HP SAM Use this window to customize permissions for differing levels of administrator access.
Manage Users By default, the search shows all users, security groups, and OUs. ● Search For: Organizations (OU), Security Groups, Users—Select in which group or groups you want to perform the search ● Filter Options: You can narrow the list of users shown by using the filter options. The filter option is based on “AND” combinations, so the more boxes you enter, the narrower the list of users shown. ◦ Name—Type the name to search for. ◦ Role—Select the role to search within.
7. Double-click asset groups or use the arrows between the Available and Selected boxes to move the asset groups. Place all asset groups you want to assign to the selected user in the Selected box. 8. Double-click roles or use the arrows between the Available and Selected boxes to move the roles. Place all roles you want to assign to the selected user in the Selected box. 9. Click Save to save your changes.
7. e. Click Save to change the resource assignment. f. Repeat a–e for each additional resource to be assigned to the user. If you want to change the friendly name for the resource, click the link in the Friendly Name column, and then type a new friendly name for the resource in the Update Friendly Name window. The default friendly name is the resource host name. 8. If you want to assign a backup for the dedicated resource, in the Backup column, click either Role or Resource for the user.
NOTE: A message will be displayed if you attempt to assign resources to a user who already has resources or if the primary roles do not have enough resources available. The template user must have at least one dedicated resource that exists in a role. Only primary roles are considered when assigning dedicated resources to multiple users. The selected users will be assigned dedicated resources from free resources in this role.
8. Select the USB Default, which is the session you want RGS to use by default with USB devices connected to the access device. 9. Click Save. To Change the Monitor Layout Configuration for the User 1. Select the check box next to the appropriate name. 2. From the Operation list, select Assign Monitor Layouts, and then click the Go button to open the Monitor Layouts for window, which shows the monitor layouts, if any, assigned to the selected user. 3.
NOTE: Searching by Global Catalog displays all users from external domains. Users from other domains can be added to HP SAM using Global Catalog, but they may not be able to log on if the External setting has not been selected on the Active Directory page of the System Settings tab. 4. Type one or more of the parameters, as shown in the following examples: a. Last Name: Search is performed by last name when entering characters. b.
Manage Resources By default, the search shows all computing resources (such as blade PCs). You can narrow the list of resources shown by using the filter options. The filter option is based on “AND” combinations, so the more boxes you enter, the narrower the list of resources shown. The following are your filter options: ● IP Address/Host Name—Show the list of resources where the IP address or host name matches what you entered (or range or set of computing resources matching what you entered).
To perform any of the operations listed below: 1. Select the appropriate resource(s). 2. Select the task to perform in the Operation list. 3. Click the Go button. Operations ● Delete—Delete the resource from the system. Do this to clean up the database. You can delete the computing resource only if its current status is Offline. ● Disable—Prevent the resource from further allocation. If In-use, the current user session is unaffected.
double arrows move all items in the list. You can display a minimum of three and a maximum of six columns. Manage Access Devices To Add an Access Device Manually NOTE: The Windows-based client, Blade Workstation Client, and Linux Client register access devices automatically upon connection to the HP SAM server. The XP Embedded OS image on some thin client access devices lack support needed for this to occur.
4. Select the Asset Groups associated with this monitor layout. 5. Click Save to add the new ID. To Modify a Monitor Layout 1. If you want to change the name, description, or asset group of the monitor layout, click the link in the Monitor Layout ID column and then change the desired settings. 2. Click Save to change the monitor layout ID. To Delete a Monitor Layout 1. Select the check box next to the appropriate monitor layout. 2. Click Delete and then click OK.
5. Select the check boxes for the enclosures to add, and then click Save. 6. Click Close. To Delete Enclosures from a Data Center 1. Select the check box for the appropriate data center. 2. Choose View Enclosures from the Operation list and click Go. 3. Select the check boxes for the enclosures to delete. 4. Click Delete. 5. Click Close. To Delete a Data Center 1. Select the check box for the appropriate data center or data centers. 2. Choose Delete from the Operation list and click Go. 3.
Policies Tab Policy management allows administrator to override the user’s HP SAM client settings. In general, the user is allowed the flexibility to customize the connection settings on the client side. If there are specific settings that the user must always connect with, then the administrator may use the Policies tab to define the forced settings.
Table 4-1 Effective Hierarchical Policy Example (continued) Parameter 3 P6 1 2 3 Global Role OU SG1 SG2 User Effective ON OFF ON OFF ON Not Assigned OFF The order of policy assignment is User (highest) > Security Group > OU > Role > Global Policy (lowest). Individual parameters assigned at the User level override parameters set at the Group level, and so forth.
System Settings Tab This tab allows the administrator to set how the HP SAM server behaves. General This page allows the administrator to define the settings for the entire system. Make the appropriate change(s) and click Save to apply. ● New Role Settings—When a new role is created (computing resource self-registers with a role that is brand new to the system), the flags are set accordingly based on the value assigned.
● ● Multi-Session Autoconnection—When enabled, allows the system to autoconnect users to all resources of the chosen type which are assigned to the user when user is on an access device without a monitor layout ID assigned. Select one or more: ◦ Dedicated Resources ◦ Roles with Public Enabled ◦ Roles with Public Disabled Client-Resource Network—When the access device connects to the computing resource, you can specify which method it uses.
● Banner text—Select the language and type the appropriate message in the box to change the customizable message that is displayed to the user on the HP SAM web client page. ● Smart Card ◦ Smart card login—Select the value for the type of logon you want. - Disallowed—Select to disable logging in using a smart card. Only the traditional logon information fields are displayed. - Optional—Select to make optional the use of a smart card to logon. All logon fields are displayed.
Auto Schedules NOTE: These schedules can now be found on the Auto-Schedules page instead of the top menu. Resource Synchronization Scheduler To schedule when to run the synchronize operation task to capture any resources that are offline, set the timer as instructed below and click Create or Update. In general, you do not need to do this if the resources are running under normal operation.
◦ Delete without saving—Select this if it is okay for the data to be permanently deleted. ◦ Save as CSV file and then Delete—Select this to save to an external text file before deleting the data permanently. —Type the file path where you want to store the CSV file. Log Off User from Resource Scheduler To schedule when the system will forcibly log off users from their resources, set the timer as instructed below and click Create or Update.
administrative console) that is before the SA expiration date. If you install a version of SAM which has an Effective Date that is after the SA expiration date, those licenses will no longer count. This may cause an orange warning banner to be shown saying you have more resources than licenses. Even in this situation, no functionality will be lost. The customer must then purchase version 3 licenses or revert to an older version of HP SAM. Click the Enter New Key button to add a new key to HP SAM.
Display Options ● ● Threshold Percentages—On the report you can highlight the data if it exceeds the number entered here. ◦ Minimum Available—If data is below the value entered, the report highlights it. ◦ Maximum Consumed—If data is above the value entered, the report highlights it. Open in New Window—If selected, the result data are shown in a new browser window. Output Report ● Role Name—Name of role.
Display Options ● Threshold Percentages—On the report you can highlight the data if it exceeds the number entered here. ◦ Minimum Available—If data is below the value entered, the report highlights it. ◦ Maximum Consumed—If data is above the value entered, the report highlights it. ● Time Interval—Chart the data where the scale is based on hour, day, week, or month. ● Include raw data—If the raw data is also wanted in the report, check the Include raw data box.
Filters ● Total Resources—Physical count is based on unique physical resource (i.e., primary role only). Logical count produces higher numbers because a computing resource is counted multiple times if it was assigned to multiple roles. ● Role Enabled—Narrow the data to all roles that are enabled only (Yes), disabled only (No), or ignore this flag by selecting both.
You have four operations you can perform: ● Save selected ● Save entire log ● Delete selected ● Delete entire log Setting Up Smart Card Logon on the Access Device NOTE: RGS 5.1.3 or later is required when logging in using RGS with smart cards. Smart Card logon does not work if RGS Single Sign-on is enabled. You must enable Easy Login on the RGS Sender and set the USB on the RGS Receiver to Remote and Local or Remote.
7. If you want the system to automatically launch the HP SAM client when a users inserts a smart card, see steps a and b. (NOTE: Step a is the default setting.) a. For the Windows-based client (default setting), edit the ‘scwatch.cfg’ file with the following: [scwatch] Action=c:\Program Files\Hewlett-Packard\HP Session Allocation Client\hprdcw32.exe ActionDir=c:\Program Files\Hewlett-Packard\HP Session Allocation Client\ — or — b. For the Internet Explorer-based client, edit the ‘scwatch.
To import the session timers into the Group Policy Management utility on the domain controller: 1. Copy the HPCCIST.ADM file to the domain controller. 2. Create a Group Policy Object (GPO) on the domain controller in Group Policy Management. ▲ Right-click on Group Policy Objects and select New. 3. Right-click on the GPO, select Edit, and then edit the GPO. 4. Right-click Administrative Templates. 5. Click Add and browse to HPCCIST.ADM. 6.
Session Timers for Linux HP SAM Session Timers for Linux have been added to provide functionality to administrators on Linux resources similar to what previously existed only for Windows resources. It features the ability to disconnect or log off users after a set amount of time when logged in, logged in but inactive, or in a disconnected state. It can also be set to factor in CPU usage with configurable thresholds.
same role begins (or at 12:00 midnight, if no other reservations are set.) A dialog warns the user before the logoff occurs. The lead time of this warning can be configured in System Settings on the General page of the HP SAM administrative console. For example, a school may use resource reservations to ensure students get a resource from the correct role for each class and make sure resources are freed in time for a later class needing resources in the same role.
To enable this feature, all of the following must be configured: ● Enable Authentication before Allocation on the General page of System Settings on the HP SAM administrative console. ● Ensure that a certificate from the domain certificate authority is installed on the HP SAM website in IIS on the HP SAM server. ● The following option must be enabled via the HP SAM client configuration file on all access devices: AuthenticateBeforeAllocation=1.
A Firewall Rules This appendix lists the rules needed for communication between the various components. The values in parenthesis represent ports, with ANY meaning any ports on that component.
◦ From clients (TCP/ANY) to resources (TCP/3389—RDP) ◦ From clients (TCP/ANY) to resources (TCP/42966)—RGS) NOTE: The default RGS port is TCP/42966; however, RGS 5.3 and later allows this to be changed. Please see the RGS documentation for details.
B Frequently Asked Questions Question Answer Why do some users on the HP SAM client have to select a role or resource to connect and others do not. Users who are in more than one role must select the role to connect. Those users who are in only one role do not see this screen. A user assigned a single dedicated resource does not have to select a role. Also, when Monitor Layout IDs or MultiSession Autoconnections or Resource Reservations are used, the user is not prompted for a role or resource.
88 Question Answer How do I enable HP Sygate Security Agent on the Windows XP Embedded-based thin client for the HP SAM client(s)? Go to HP Sygate Security Agent advance rules and create a new rule for HP SAM. Add IEXPLORE.EXE and/or hprdcw32.exe to the Application tab. On the Ports and Protocol tab, set protocol to TCP and type 80,443,3389,42966 on the remote port line if you want both clients to work. Otherwise, make sure port 3389 is set for IEXPLORE.
Question Answer How can I change both the HP SAM web server http and https ports to some other value beside the default 80 and 443? After changing the desired value (TCP and/or SSL ports) in Internet Information Services (IIS) Manager, modify the CONNECTION.CONFIG file located on the HP SAM web server in root of the HP SAM installation directory (usually c: \Program Files\Hewlett-Packard\HP SAM). Use Notepad to edit the file.
Question Answer How do I change the HP SAM datagram communication port to another value beside the default 47777? Modify the connection.config file located on the HP SAM web server in the HP SAM installation directory (usually c: \Program Files\Hewlett-Packard\HP SAM). Use Notepad to edit the file. Add this line in the appSettings section: Where port number is the new HP SAM datagram communication port you want to use.
Question Answer Users are getting the message All resources are currently in use. Please try again later but there appear to be free resources according to the HP SAM administrative console. What are the potential causes for this? First, refresh the Resources list in the HP SAM administrative console and check to see if any resources are available in the role (or dedicated resource) the user is attempting to access.
92 Question Answer Why does a user, whose Security Group has been added to HP SAM from a child domain, receive the error “Your account cannot be assigned to any existing roles?” The user may see this error when logging into HP SAM using his username in UPN (user@domain.dom) format. When UPN is used, HP SAM checks the global catalog for group memberships in Active Directory. Local and Global Security Groups are not visible this way.
C Registration Service Error Codes The following is a list of possible errors which the registration service writes to the event log file on the computing resource. If you encounter a critical issue on the blade, note the error code and communicate it to the support team. BC0001—Internal error accessing WMI. Contact your HP SAM support team. BC0002—Internal error accessing WMI. Contact your HP SAM support team. BC0003—Internal error failed to spawn threads, usually due to low memory.
BC0024—Internal error. Contact your HP SAM support team. BC0025—Internal error. Contact your HP SAM support team. BC0026—Error communicating with the Terminal Services subsystem. Contact your HP SAM support team. BC0028—Failed to set up UDP server port. Check if another program is already using the same UPD port (usually port 47777 by default). BC0029—Failed to receive UDP data from network (recvfrom() failed). Check your network and/or firewall settings.
BC0104—Failed to set up properties for listening UDP socket. Contact your HP SAM support team. BC0105—(Warning) this resource has no roles defined. Without a role, the computing resource is not available for allocation. BC0106—(Warning) Internal service error in communicating with the SCM. May affect how the Service Control Manager determines if the service has been started or stopped. Contact your HP SAM support team. BC0107—Failed to setup timer. Internal error, possibly due to low memory conditions.
D Glossary Access Device—A device such as a thin client used to access HP SAM to connect to computing resources. Active Directory—A Microsoft Windows directory service that stores an enterprise’s information and settings in a central, organized, accessible database. Active Directory allows administrators to assign policies, deploy programs, and apply critical updates to an entire organization.
Registration Service—Sometimes referred to as the blade service, this is a service that runs on the computing resources that communicates the status of the resource back to the HP SAM Server. Resource—A managed computer inside HP SAM which can be provided to a client for the purpose of logging in via RGS or RDP. It is also referred to as computing resource or desktop session. A resource could be a Blade PC, a Blade Workstation, or a virtual machine. RDP—Microsoft Remote Desktop Protocol.
Index A access device adding manually 65 changing 65 deleting 65 requirements 21 access devices, managing 65 access list 52 access restrictions 82 account, service 23 Active Directory 23, 72 ActiveX controls 35 adding access device, manually 65 enclosures into data centers 66 monitor layout 65 organization units to the Administrator role 53 security groups to Administrator role 53 users 61 users to Administrator group 52 Administrative permissions 56 rights required to install 23 administrative console tabs
ConnectionBar.ShowOnDisconnec t 40 ConnectionBar.ShowReboot 40 ConnectionBar.
I ImageQuality 44 installation error 87 new 25 order 25 upgrade 25 installing Administrative rights 23 HP Blade Workstation Client series 36 HP SAM client software 33 HP SAM registration service 29 HP SAM registration service software 29 HP SAM SQL software 26 HP SAM Web Server 26 HP ThinPro GT client 37 Internet Explorer-based client 34 RHEL client 38 Windows-based client 35 Internet Explorer-based client 34 IP address list 27 J Japanese characters 88 K KeyRepeatEnabled 44 Keys 45 KioskMode 43 L legal bann
user 61 users from Administrator group 53 reports Resource Capacity Consumption 75 Resource Capacity Consumption Trend 76 Resource Utilization 77 Reports tab 75 requirements access device 21 Blade Workstation client 22 desktop or notebook PC 22 domain environment 15 hardware and software 12 mobile thin client 22 Personal Workstation client 22 registration service 20 SQL server 15 thin client 21 web server 15 ResetAfterSession 39 Resolutions 40 Resource Capacity Consumption report 75 Resource Capacity Consum
user deleting 61 interface 51 interface settings 42 User name field 72 User Sign-in Time Out 70 users adding 61 managing 57 removing from Administrator group 53 users and roles 54 V validating, HP SAM registration service software 29 view details 63 W Wallpaper 44 web client 71 web server firewall rules 85 hardware requirements 15 software requirements 16 WebServerList 31 Width 45 Windows-based client 35 WindowSnapEnabled 44 102 Index
