1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
|
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<chapter>
<title>Remote virtual machines</title>
<sect1>
<title id="vrde">Remote display (VRDP support)</title>
<para>VirtualBox can display virtual machines remotely, meaning that a
virtual machine can execute on one machine even though the machine will be
displayed on a second computer, and the machine will be controlled from
there as well, as if the virtual machine was running on that second
computer.</para>
<para>For maximum flexibility, starting with VirtualBox 4.0, VirtualBox
implements remote machine display through a generic extension interface,
the VirtualBox Remote Desktop Extension (VRDE). The base open-source
VirtualBox package only provides this interface, while implementations can
be supplied by third parties with VirtualBox extension packages, which
must be installed separately from the base package. See <xref
linkend="intro-installing" /> for more information.</para>
<para>Oracle provides support for the <emphasis role="bold">VirtualBox
Remote Display Protocol (VRDP)</emphasis> in such a VirtualBox extension
package. When this package is installed, VirtualBox versions 4.0 and later
support VRDP the same way as binary (non-open-source) versions of
VirtualBox before 4.0 did.</para>
<para>VRDP is a backwards-compatible extension to Microsoft's Remote
Desktop Protocol (RDP). Typically graphics updates and audio are sent from
the remote machine to the client, while keyboard and mouse events are sent
back. As a result, you can use any standard RDP client to control the
remote VM.</para>
<para>Even when the extension is installed, the VRDP server is disabled by
default. It can easily be enabled on a per-VM basis either in the
VirtualBox Manager in the "Display" settings (see <xref
linkend="settings-display" />) or with
<computeroutput>VBoxManage</computeroutput>:<screen>VBoxManage modifyvm "VM name" --vrde on</screen></para>
<para>If you use <computeroutput>VBoxHeadless</computeroutput> (described
further below), VRDP support will be automatically enabled since
VBoxHeadless has no other means of output.</para>
<sect2 id="rdp-viewers">
<title>Common third-party RDP viewers</title>
<para>Since VRDP is backwards-compatible to RDP, you can use any
standard RDP viewer to connect to such a remote virtual machine
(examples follow below). For this to work, you must specify the
<emphasis role="bold">IP address</emphasis> of your
<emphasis>host</emphasis> system (not of the virtual machine!) as the
server address to connect to, as well as the <emphasis role="bold">port
number</emphasis> that the RDP server is using.</para>
<para>By default, VRDP uses TCP port
<computeroutput>3389</computeroutput>. You will need to change the
default port if you run more than one VRDP server, since the port can
only be used by one server at a time; you might also need to change it
on Windows hosts since the default port might already be used by the RDP
server that is built into Windows itself. Ports 5000 through 5050 are
typically not used and might be a good choice.</para>
<para>The port can be changed either in the "Display" settings of the
graphical user interface or with
<computeroutput>--vrdeport</computeroutput> option of the
<computeroutput>VBoxManage modifyvm</computeroutput> command. You can
specify a comma-separated list of ports or ranges of ports. Use a dash
between two port numbers to specify a range. The VRDP server will bind
to <emphasis role="bold">one</emphasis> of available ports from the
specified list. For example, <computeroutput>VBoxManage modifyvm "VM
name" --vrdeport 5000,5010-5012</computeroutput> will configure the
server to bind to one of the ports 5000, 5010, 5011 or 5012. See <xref
linkend="vboxmanage-modifyvm" /> for details.</para>
<para>The actual port used by a running VM can be either queried with
<computeroutput>VBoxManage showvminfo</computeroutput> command or seen
in the GUI on the "Runtime" tab of the "Session Information Dialog",
which is accessible via the "Machine" menu of the VM window.</para>
<para>Here follow examples for the most common RDP viewers:<itemizedlist>
<listitem>
<para>On Windows, you can use the Microsoft Terminal Services
Connector (<computeroutput>mstsc.exe</computeroutput>) that ships
with Windows. You can start it by bringing up the "Run" dialog
(press the Windows key and "R") and typing "mstsc". You can also
find it under "Start" -> "All Programs" -> "Accessories"
-> "Remote Desktop Connection". If you use the "Run" dialog,
you can type in options directly:<screen>mstsc 1.2.3.4[:3389]</screen></para>
<para>Replace "1.2.3.4" with the host IP address, and 3389 with a
different port if necessary.</para>
<note>
<para>When connecting to localhost in order to test the
connection, the addresses
<computeroutput>localhost</computeroutput> and
<computeroutput>127.0.0.1</computeroutput> might not work using
<computeroutput>mstsc.exe</computeroutput>. Instead, the address
<computeroutput>127.0.0.2[:3389]</computeroutput> has to be
used.</para>
</note>
</listitem>
<listitem>
<para>On other systems, you can use the standard open-source
<computeroutput>rdesktop</computeroutput> program. This ships with
most Linux distributions, but VirtualBox also comes with a
modified variant of rdesktop for remote USB support (see <xref
linkend="usb-over-rdp" /> below).</para>
<para>With rdesktop, use a command line such as the
following:<screen>rdesktop -a 16 -N 1.2.3.4:3389</screen></para>
<para>As said for the Microsoft viewer above, replace "1.2.3.4"
with the host IP address, and 3389 with a different port if
necessary. The <computeroutput>-a 16</computeroutput> option
requests a color depth of 16 bits per pixel, which we recommend.
(For best performance, after installation of the guest operating
system, you should set its display color depth to the same value).
The <computeroutput>-N</computeroutput> option enables use of the
NumPad keys.</para>
</listitem>
<listitem>
<para>If you run the KDE desktop, you might prefer
<computeroutput>krdc</computeroutput>, the KDE RDP viewer. The
command line would look like this:<screen>krdc --window --high-quality rdp:/1.2.3.4[:3389]</screen></para>
<para>Again, replace "1.2.3.4" with the host IP address, and 3389
with a different port if necessary. The "rdp:/" bit is required
with krdc to switch it into RDP mode.</para>
</listitem>
<listitem>
<para>With Sun Ray thin clients you can use
<computeroutput>uttsc</computeroutput>, which is part of the
Sun Ray Windows Connector package. See the corresponding
documentation for details.</para>
</listitem>
</itemizedlist></para>
</sect2>
<sect2 id="vboxheadless">
<title>VBoxHeadless, the remote desktop server</title>
<para>While any VM started from the VirtualBox Manager is capable of
running virtual machines remotely, it is not convenient to have to run
the full-fledged GUI if you never want to have VMs displayed locally in
the first place. In particular, if you are running server hardware whose
only purpose is to host VMs, and all your VMs are supposed to run
remotely over VRDP, then it is pointless to have a graphical user
interface on the server at all -- especially since, on a Linux or
Solaris host, the VirtualBox manager comes with dependencies on the Qt
and SDL libraries. This is inconvenient if you would rather not have the
X Window system on your server at all.</para>
<para>VirtualBox therefore comes with yet another front-end called
<computeroutput>VBoxHeadless</computeroutput>, which produces no visible
output on the host at all, but instead only delivers VRDP data. This
front-end has no dependencies on the X Window system on Linux and
Solaris hosts.<footnote>
<para>Before VirtualBox 1.6, the headless server was called
<computeroutput>VBoxVRDP</computeroutput>. For the sake of backwards
compatibility, the VirtualBox installation still installs an
executable with that name as well.</para>
</footnote></para>
<para>To start a virtual machine with
<computeroutput>VBoxHeadless</computeroutput>, you have two
options:</para>
<itemizedlist>
<listitem>
<para>You can use <screen>VBoxManage startvm "VM name" --type headless</screen>The
extra <computeroutput>--type</computeroutput> option causes
VirtualBox to use <computeroutput>VBoxHeadless</computeroutput> as
the front-end to the internal virtualization engine instead of the
Qt front-end.</para>
</listitem>
<listitem>
<para>The alternative is to use
<computeroutput>VBoxHeadless</computeroutput> directly, as
follows:<screen>VBoxHeadless --startvm <uuid|name></screen></para>
<para>This way of starting the VM helps troubleshooting problems
reported by <computeroutput>VBoxManage startvm ...</computeroutput>
because you can see sometimes more detailed error messages,
especially for early failures before the VM execution is started.
In normal situations <computeroutput>VBoxManage startvm</computeroutput>
is preferred since it runs the VM directly as a background process
which has to be done explicitly when directly starting
<computeroutput>VBoxHeadless</computeroutput>.</para>
</listitem>
</itemizedlist>
<para>Note that when you use
<computeroutput>VBoxHeadless</computeroutput> to start a VM, since the
headless server has no other means of output, the VRDP server will
<emphasis>always</emphasis> be enabled, regardless of whether you had
enabled the VRDP server in the VM's settings. If this is undesirable
(for example because you want to access the VM via
<computeroutput>ssh</computeroutput> only), start the VM like
this:<screen>VBoxHeadless --startvm <uuid|name> --vrde off</screen>To
have the VRDP server enabled depending on the VM configuration, as the
other front-ends would, use this:<screen>VBoxHeadless --startvm <uuid|name> --vrde config</screen></para>
<para>If you start the VM with <computeroutput>VBoxManage startvm ...</computeroutput>
then the configuration settings of the VM are always used.</para>
</sect2>
<sect2>
<title>Step by step: creating a virtual machine on a headless
server</title>
<para>The following instructions may give you an idea how to create a
virtual machine on a headless server over a network connection. We will
create a virtual machine, establish an RDP connection and install a
guest operating system -- all without having to touch the headless
server. All you need is the following:</para>
<para><orderedlist>
<listitem>
<para>VirtualBox on a server machine with a supported host
operating system. The VirtualBox extension pack for the VRDP
server must be installed (see the previous section). For the
following example, we will assume a Linux server.</para>
</listitem>
<listitem>
<para>An ISO file accessible from the server, containing the
installation data for the guest operating system to install (we
will assume Windows XP in the following example).</para>
</listitem>
<listitem>
<para>A terminal connection to that host through which you can
access a command line (e.g. via
<computeroutput>ssh</computeroutput>).</para>
</listitem>
<listitem>
<para>An RDP viewer on the remote client; see <xref
linkend="rdp-viewers" /> above for examples.</para>
</listitem>
</orderedlist>Note again that on the server machine, since we will
only use the headless server, neither Qt nor SDL nor the X Window system
will be needed.</para>
<para><orderedlist>
<listitem>
<para>On the headless server, create a new virtual machine:</para>
<screen>VBoxManage createvm --name "Windows XP" --ostype WindowsXP --register</screen>
<para>Note that if you do not specify
<computeroutput>--register</computeroutput>, you will have to
manually use the <computeroutput>registervm</computeroutput>
command later.</para>
<para>Note further that you do not need to specify
<computeroutput>--ostype</computeroutput>, but doing so selects
some sane default values for certain VM parameters, for example
the RAM size and the type of the virtual network device. To get a
complete list of supported operating systems you can use</para>
<screen>VBoxManage list ostypes</screen>
</listitem>
<listitem>
<para>Make sure the settings for this VM are appropriate for the
guest operating system that we will install. For example:<screen>VBoxManage modifyvm "Windows XP" --memory 256 --acpi on --boot1 dvd --nic1 nat</screen></para>
</listitem>
<listitem>
<para>Create a virtual hard disk for the VM (in this case, 10GB in
size):<screen>VBoxManage createhd --filename "WinXP.vdi" --size 10000</screen></para>
</listitem>
<listitem>
<para>Add an IDE Controller to the new VM:<screen>VBoxManage storagectl "Windows XP" --name "IDE Controller"
--add ide --controller PIIX4</screen></para>
</listitem>
<listitem>
<para>Set the VDI file created above as the first virtual hard
disk of the new VM:<screen>VBoxManage storageattach "Windows XP" --storagectl "IDE Controller"
--port 0 --device 0 --type hdd --medium "WinXP.vdi"</screen></para>
</listitem>
<listitem>
<para>Attach the ISO file that contains the operating system
installation that you want to install later to the virtual
machine, so the machine can boot from it:<screen>VBoxManage storageattach "Windows XP" --storagectl "IDE Controller"
--port 0 --device 1 --type dvddrive --medium /full/path/to/iso.iso</screen></para>
</listitem>
<listitem>
<para>Start the virtual machine using VBoxHeadless:<screen>VBoxHeadless --startvm "Windows XP"</screen></para>
<para>If everything worked, you should see a copyright notice. If,
instead, you are returned to the command line, then something went
wrong.</para>
</listitem>
<listitem>
<para>On the client machine, fire up the RDP viewer and try to
connect to the server (see <xref linkend="rdp-viewers" /> above
for how to use various common RDP viewers).</para>
<para>You should now be seeing the installation routine of your
guest operating system remotely in the RDP viewer.</para>
</listitem>
</orderedlist></para>
</sect2>
<sect2 id="usb-over-rdp">
<title>Remote USB</title>
<para>As a special feature on top of the VRDP support, VirtualBox
supports remote USB devices over the wire as well. That is, the
VirtualBox guest that runs on one computer can access the USB devices of
the remote computer on which the VRDP data is being displayed the same
way as USB devices that are connected to the actual host. This allows
for running virtual machines on a VirtualBox host that acts as a server,
where a client can connect from elsewhere that needs only a network
adapter and a display capable of running an RDP viewer. When USB devices
are plugged into the client, the remote VirtualBox server can access
them.</para>
<para>For these remote USB devices, the same filter rules apply as for
other USB devices, as described with <xref linkend="settings-usb" />.
All you have to do is specify "Remote" (or "Any") when setting up these
rules.</para>
<para>Accessing remote USB devices is only possible if the RDP client
supports this extension. On Linux and Solaris hosts, the VirtualBox
installation provides a suitable VRDP client called
<computeroutput>rdesktop-vrdp</computeroutput>. Recent versions of
<computeroutput>uttsc</computeroutput>, a client tailored for the use
with Sun Ray thin clients, also support accessing remote USB devices.
RDP clients for other platforms will be provided in future VirtualBox
versions.</para>
<para>To make a remote USB device available to a VM,
<computeroutput>rdesktop-vrdp</computeroutput> should be started as
follows:<screen>rdesktop-vrdp -r usb -a 16 -N my.host.address</screen>Note
that <computeroutput>rdesktop-vrdp</computeroutput> can access USB
devices only through <computeroutput>/proc/bus/usb</computeroutput>.
Please refer to <xref linkend="ts_usb-linux" /> for further details on how
to properly set up the permissions. Furthermore it is advisable to
disable automatic loading of any host driver on the remote host which
might work on USB devices to ensure that the devices are accessible by
the RDP client. If the setup was properly done on the remote host,
plug/unplug events are visible on the VBox.log file of the VM.</para>
</sect2>
<sect2 id="vbox-auth">
<title>RDP authentication</title>
<para>For each virtual machine that is remotely accessible via RDP, you
can individually determine if and how client connections are
authenticated. For this, use <computeroutput>VBoxManage
modifyvm</computeroutput> command with the
<computeroutput>--vrdeauthtype</computeroutput> option; see <xref
linkend="vboxmanage-modifyvm" /> for a general introduction. Three
methods of authentication are available:<itemizedlist>
<listitem>
<para>The "null" method means that there is no authentication at
all; any client can connect to the VRDP server and thus the
virtual machine. This is, of course, very insecure and only to be
recommended for private networks.</para>
</listitem>
<listitem>
<para>The "external" method provides external authentication
through a special authentication library. VirtualBox ships with
two such authentication libraries:<orderedlist>
<listitem>
<para>The default authentication library,
<computeroutput>VBoxAuth</computeroutput>, authenticates
against user credentials of the hosts. Depending on the host
platform, this means:<itemizedlist>
<listitem>
<para>On Linux hosts,
<computeroutput>VBoxAuth.so</computeroutput>
authenticates users against the host's PAM
system.</para>
</listitem>
<listitem>
<para>On Windows hosts,
<computeroutput>VBoxAuth.dll</computeroutput>
authenticates users against the host's WinLogon
system.</para>
</listitem>
<listitem>
<para>On Mac OS X hosts,
<computeroutput>VBoxAuth.dylib</computeroutput>
authenticates users against the host's directory
service.<footnote>
<para>Support for Mac OS X was added in version
3.2.</para>
</footnote></para>
</listitem>
</itemizedlist></para>
<para>In other words, the "external" method per default
performs authentication with the user accounts that exist on
the host system. Any user with valid authentication
credentials is accepted, i.e. the username does not have to
correspond to the user running the VM.</para>
</listitem>
<listitem>
<para>An additional library called
<computeroutput>VBoxAuthSimple</computeroutput> performs
authentication against credentials configured in the
"extradata" section of a virtual machine's XML settings
file. This is probably the simplest way to get
authentication that does not depend on a running and
supported guest (see below). The following steps are
required:<orderedlist>
<listitem>
<para>Enable
<computeroutput>VBoxAuthSimple</computeroutput> with
the following command:</para>
<para><screen>VBoxManage setproperty vrdeauthlibrary "VBoxAuthSimple"</screen></para>
</listitem>
<listitem>
<para>To enable the library for a particular VM, you
must then switch authentication to external:<screen>VBoxManage modifyvm <vm> --vrdeauthtype external</screen></para>
<para>Replace
<computeroutput><vm></computeroutput> with the
VM name or UUID.</para>
</listitem>
<listitem>
<para>You will then need to configure users and
passwords by writing items into the machine's
extradata. Since the XML machine settings file, into
whose "extradata" section the password needs to be
written, is a plain text file, VirtualBox uses hashes
to encrypt passwords. The following command must be
used:<screen>VBoxManage setextradata <vm> "VBoxAuthSimple/users/<user>" <hash></screen></para>
<para>Replace
<computeroutput><vm></computeroutput> with the
VM name or UUID,
<computeroutput><user></computeroutput> with the
user name who should be allowed to log in and
<computeroutput><hash></computeroutput> with the
encrypted password. As an example, to obtain the hash
value for the password "secret", you can use the
following command:<screen>VBoxManage internalcommands passwordhash "secret"</screen></para>
<para>This will print
<screen>2bb80d537b1da3e38bd30361aa855686bde0eacd7162fef6a25fe97bf527a25b</screen>
You can then use VBoxManage setextradata to store this
value in the machine's "extradata" section.</para>
<para>As example, combined together, to set the
password for the user "john" and the machine "My VM"
to "secret", use this command:<screen>VBoxManage setextradata "My VM" "VBoxAuthSimple/users/john"
2bb80d537b1da3e38bd30361aa855686bde0eacd7162fef6a25fe97bf527a25b</screen></para>
</listitem>
</orderedlist></para>
</listitem>
</orderedlist></para>
</listitem>
<listitem>
<para>Finally, the "guest" authentication method performs
authentication with a special component that comes with the Guest
Additions; as a result, authentication is not performed on the
host, but with the <emphasis>guest</emphasis> user
accounts.</para>
<para>This method is currently still in testing and not yet
supported.</para>
</listitem>
</itemizedlist></para>
<para>In addition to the methods described above, you can replace the
default "external" authentication module with any other module. For
this, VirtualBox provides a well-defined interface that allows you to
write your own authentication module. This is described in detail in the
VirtualBox Software Development Kit (SDK) reference; please see <xref
linkend="VirtualBoxAPI" /> for details.</para>
</sect2>
<sect2 id="vrde-crypt">
<title>RDP encryption</title>
<para>RDP features data stream encryption, which is based on the RC4
symmetric cipher (with keys up to 128bit). The RC4 keys are being
replaced in regular intervals (every 4096 packets).</para>
<para>RDP provides different authentication methods:<orderedlist>
<listitem>
<para>Historically, RDP4 authentication was used, with which the
RDP client does not perform any checks in order to verify the
identity of the server it connects to. Since user credentials can
be obtained using a "man in the middle" (MITM) attack, RDP4
authentication is insecure and should generally not be
used.</para>
</listitem>
<listitem>
<para>RDP5.1 authentication employs a server certificate for which
the client possesses the public key. This way it is guaranteed
that the server possess the corresponding private key. However, as
this hard-coded private key became public some years ago, RDP5.1
authentication is also insecure.</para>
</listitem>
<listitem>
<para>RDP5.2 authentication uses the Enhanced RDP Security, which
means that an external security protocol is used to secure the
connection. RDP4 and RDP5.1 use Standard RDP Security.
The VRDP server supports Enhanced RDP Security with TLS protocol and,
as a part of TLS handshake, sends the server certificate to the
client.</para>
<para>The <computeroutput>Security/Method</computeroutput> VRDE
property sets the desired security method, which is used for a
connection. Valid values are:<itemizedlist>
<listitem>
<para>
<computeroutput>Negotiate</computeroutput> - both Enhanced (TLS)
and Standard RDP Security connections are allowed. The security
method is negotiated with the client. This is the default setting.
</para>
</listitem>
<listitem>
<para>
<computeroutput>RDP</computeroutput> - only Standard RDP Security
is accepted.</para>
</listitem>
<listitem>
<para>
<computeroutput>TLS</computeroutput> - only Enhanced RDP Security
is accepted. The client must support TLS.</para>
</listitem>
</itemizedlist>
For example the following command allows a client to use either Standard
or Enhanced RDP Security connection:
<screen>vboxmanage modifyvm "VM name" --vrdeproperty "Security/Method=negotiate"</screen>
</para>
<para>If the <computeroutput>Security/Method</computeroutput> property is
set to either <computeroutput>Negotiate</computeroutput> or
<computeroutput>TLS</computeroutput>, the TLS protocol will be automatically
used by the server, if the client supports TLS. However, in order to use TLS
the server must possess the Server Certificate, the Server Private Key and the
Certificate Authority (CA) Certificate. The following example shows how to
generate a server certificate.<orderedlist>
<listitem>
Create a CA self signed certificate:
<screen>openssl req -new -x509 -days 365 -extensions v3_ca \
-keyout ca_key_private.pem -out ca_cert.pem</screen>
</listitem>
<listitem>
Generate a server private key and a request for signing:
<screen>openssl genrsa -out server_key_private.pem
openssl req -new -key server_key_private.pem -out server_req.pem</screen>
</listitem>
<listitem>
Generate the server certificate:
<screen>openssl x509 -req -days 365 -in server_req.pem \
-CA ca_cert.pem -CAkey ca_key_private.pem -set_serial 01 -out server_cert.pem</screen>
</listitem>
</orderedlist>
The server must be configured to access the required files:
<screen>vboxmanage modifyvm "VM name" \
--vrdeproperty "Security/CACertificate=path/ca_cert.pem"</screen>
<screen>vboxmanage modifyvm "VM name" \
--vrdeproperty "Security/ServerCertificate=path/server_cert.pem"</screen>
<screen>vboxmanage modifyvm "VM name" \
--vrdeproperty "Security/ServerPrivateKey=path/server_key_private.pem"</screen>
</para>
</listitem>
</orderedlist></para>
<para>As the client that connects to the server determines what type
of encryption will be used, with rdesktop, the Linux RDP viewer, use the
<computeroutput>-4</computeroutput> or
<computeroutput>-5</computeroutput> options.</para>
</sect2>
<sect2 id="vrde-multiconnection">
<title>Multiple connections to the VRDP server</title>
<para>The VRDP server of VirtualBox supports multiple simultaneous
connections to the same running VM from different clients. All connected
clients see the same screen output and share a mouse pointer and
keyboard focus. This is similar to several people using the same
computer at the same time, taking turns at the keyboard.</para>
<para>The following command enables multiple connection mode: <screen>VBoxManage modifyvm "VM name" --vrdemulticon on</screen></para>
</sect2>
<sect2 id="vrde-multimonitor">
<title>Multiple remote monitors</title>
<para>To access two or more remote VM displays you have to enable the
VRDP multiconnection mode (see <xref
linkend="vrde-multiconnection" />).</para>
<para>The RDP client can select the virtual monitor number to connect to
using the <computeroutput>domain</computeroutput> logon parameter
(<computeroutput>-d</computeroutput>). If the parameter ends with
<computeroutput>@</computeroutput> followed by a number, VirtualBox
interprets this number as the screen index. The primary guest screen is
selected with <computeroutput>@1</computeroutput>, the first secondary
screen is <computeroutput>@2</computeroutput>, etc.</para>
<para>The Microsoft RDP6 client does not let you specify a separate
domain name. Instead, use
<computeroutput>domain\username</computeroutput> in the
<computeroutput>Username:</computeroutput> field -- for example,
<computeroutput>@2\name</computeroutput>.
<computeroutput>name</computeroutput> must be supplied, and must be the
name used to log in if the VRDP server is set up to require credentials.
If it is not, you may use any text as the username.</para>
</sect2>
<sect2 id="vrde-videochannel">
<title>VRDP video redirection</title>
<para>Starting with VirtualBox 3.2, the VRDP server can redirect video
streams from the guest to the RDP client. Video frames are compressed
using the JPEG algorithm allowing a higher compression ratio than
standard RDP bitmap compression methods. It is possible to increase the
compression ratio by lowering the video quality.</para>
<para>The VRDP server automatically detects video streams in a guest as
frequently updated rectangular areas. As a result, this method works
with any guest operating system without having to install additional
software in the guest; in particular, the Guest Additions are not
required.</para>
<para>On the client side, however, currently only the Windows 7 Remote
Desktop Connection client supports this feature. If a client does not
support video redirection, the VRDP server falls back to regular bitmap
updates.</para>
<para>The following command enables video redirection: <screen>VBoxManage modifyvm "VM name" --vrdevideochannel on</screen></para>
<para>The quality of the video is defined as a value from 10 to 100
percent, representing a JPEG compression level (where lower numbers mean
lower quality but higher compression). The quality can be changed using
the following command: <screen>VBoxManage modifyvm "VM name" --vrdevideochannelquality 75</screen></para>
</sect2>
<sect2 id="vrde-customization">
<title>VRDP customization</title>
<para>With VirtualBox 4.0 it is possible to disable display output,
mouse and keyboard input, audio, remote USB or clipboard individually in
the VRDP server.</para>
<para>The following commands change corresponding server
settings:</para>
<screen>VBoxManage modifyvm "VM name" --vrdeproperty Client/DisableDisplay=1
VBoxManage modifyvm "VM name" --vrdeproperty Client/DisableInput=1
VBoxManage modifyvm "VM name" --vrdeproperty Client/DisableUSB=1
VBoxManage modifyvm "VM name" --vrdeproperty Client/DisableAudio=1
VBoxManage modifyvm "VM name" --vrdeproperty Client/DisableClipboard=1
VBoxManage modifyvm "VM name" --vrdeproperty Client/DisableUpstreamAudio=1</screen>
<para>To reenable a feature use a similar command without the trailing
1. For example: <screen>VBoxManage modifyvm "VM name" --vrdeproperty Client/DisableDisplay=</screen></para>
<para>These properties were introduced with VirtualBox 3.2.10. However,
in the 3.2.x series, it was necessary to use the following commands to
alter these settings instead:</para>
<screen>VBoxManage setextradata "VM name" "VRDP/Feature/Client/DisableDisplay" 1
VBoxManage setextradata "VM name" "VRDP/Feature/Client/DisableInput" 1
VBoxManage setextradata "VM name" "VRDP/Feature/Client/DisableUSB" 1
VBoxManage setextradata "VM name" "VRDP/Feature/Client/DisableAudio" 1
VBoxManage setextradata "VM name" "VRDP/Feature/Client/DisableClipboard" 1</screen>
<para>To reenable a feature use a similar command without the trailing
1. For example: <screen>VBoxManage setextradata "VM name" "VRDP/Feature/Client/DisableDisplay"</screen></para>
</sect2>
</sect1>
<sect1 id="teleporting">
<title>Teleporting</title>
<para>Starting with version 3.1, VirtualBox supports "teleporting" -- that
is, moving a virtual machine over a network from one VirtualBox host to
another, while the virtual machine is running. This works regardless of
the host operating system that is running on the hosts: you can teleport
virtual machines between Solaris and Mac hosts, for example.</para>
<para>Teleporting requires that a machine be currently running on one
host, which is then called the <emphasis role="bold">"source"</emphasis>.
The host to which the virtual machine will be teleported will then be
called the <emphasis role="bold">"target"</emphasis>; the machine on the
target is then configured to wait for the source to contact the target.
The machine's running state will then be transferred from the source to
the target with minimal downtime.</para>
<para>Teleporting happens over any TCP/IP network; the source and the
target only need to agree on a TCP/IP port which is specified in the
teleporting settings.</para>
<para>At this time, there are a few prerequisites for this to work,
however:<orderedlist>
<listitem>
<para>On the target host, you must configure a virtual machine in
VirtualBox with exactly the same hardware settings as the machine on
the source that you want to teleport. This does not apply to
settings which are merely descriptive, such as the VM name, but
obviously for teleporting to work, the target machine must have the
same amount of memory and other hardware settings. Otherwise
teleporting will fail with an error message.</para>
</listitem>
<listitem>
<para>The two virtual machines on the source and the target must
share the same storage (hard disks as well as floppy and CD/DVD
images). This means that they either use the same iSCSI targets or
that the storage resides somewhere on the network and both hosts
have access to it via NFS or SMB/CIFS.</para>
<para>This also means that neither the source nor the target machine
can have any snapshots.</para>
</listitem>
</orderedlist></para>
<para>Then perform the following steps:<orderedlist>
<listitem>
<para>On the <emphasis>target</emphasis> host, configure the virtual
machine to wait for a teleport request to arrive when it is started,
instead of actually attempting to start the machine. This is done
with the following VBoxManage command:<screen>VBoxManage modifyvm <targetvmname> --teleporter on --teleporterport <port></screen></para>
<para>where <computeroutput><targetvmname></computeroutput> is
the name of the virtual machine on the target host and
<computeroutput><port></computeroutput> is a TCP/IP port
number to be used on both the source and the target hosts. For
example, use 6000. For details, see <xref
linkend="vboxmanage-modifyvm-teleport" />.</para>
</listitem>
<listitem>
<para>Start the VM on the target host. You will see that instead of
actually running, it will show a progress dialog. indicating that it
is waiting for a teleport request to arrive.</para>
</listitem>
<listitem>
<para>Start the machine on the <emphasis>source</emphasis> host as
usual. When it is running and you want it to be teleported, issue
the following command on the source host:<screen>VBoxManage controlvm <sourcevmname> teleport --host <targethost> --port <port></screen></para>
<para>where <computeroutput><sourcevmname></computeroutput> is
the name of the virtual machine on the source host (the machine that
is currently running),
<computeroutput><targethost></computeroutput> is the host or
IP name of the target host on which the machine is waiting for the
teleport request, and <computeroutput><port></computeroutput>
must be the same number as specified in the command on the target
host. For details, see <xref
linkend="vboxmanage-controlvm" />.</para>
</listitem>
</orderedlist></para>
<para>For testing, you can also teleport machines on the same host; in
that case, use "localhost" as the hostname on both the source and the
target host.<note>
<para>In rare cases, if the CPUs of the source and the target are very
different, teleporting can fail with an error message, or the target
may hang. This may happen especially if the VM is running application
software that is highly optimized to run on a particular CPU without
correctly checking that certain CPU features are actually present.
VirtualBox filters what CPU capabilities are presented to the guest
operating system. Advanced users can attempt to restrict these virtual
CPU capabilities with the <computeroutput>VBoxManage --modifyvm
--cpuid</computeroutput> command; see <xref
linkend="vboxmanage-modifyvm-teleport" />.</para>
</note></para>
</sect1>
</chapter>
|
