Shadowing

From NComputing Knowledge Base
Jump to: navigation, search

Shadowing in our terminology means that you see the screen of one machine on another machine. Other terms to describe this would be screen-sharing, mirroring, remote assistance. It means that basically two people on two different workplaces will get to see the same contents (although there doesn't need a second person to be present) and be able to work with keyboard and mouse.

Getting an endpoint screen from NoTouch Center

The way we use "shadowing" means that you get a screen-sharing connection to a specific endpoint PC.

Center-en-VNC.jpg

This uses the VNC protocol, which might not be the best protocol around, but it is free, that means you don't need to pay a third party. In NoTouch Center, select the PC you want to be shadowed, and click on the Shadowing icon on the top-right corner. The user will have to accept the incoming connection by pressing "Yes" on the dialog box that appears.

For this shadowing to work, you must have a Java plug-in installed and enabled in your browser, as it uses a Java applet.

Technically speaking, NoTouch Center will send a command to the client to start the VNC server that usually doesn't run and then launch the Java applet pointed to this endpoint machine. After closing the connection, the VNC server on the client will terminate again.

How to find the client to shadow

Most likely the Identify feature will help you in shadowing situation, especially when it is a user that is asking for help.

Allow unattended shadowing

By default, the user on the endpoint machine is asked if the incoming screen-sharing is allowed or not. Normally the user will click "Yes" to approve the request.

There are some cases when a machine needs to be shadowed, but no user is working on this machine or no keyboard/mouse attached. Examples are display terminals in bus or train stations or airports, or displays in industry halls or construction machines behind glass walls. To enable shadowing on these machines, set the parameter "Ask user at new connection" to "off". You will find this parameter in the "Screen shadowing" section of the "Services" parameters.

Please not that shadowing users without their consent is illegal in most legislations in the world.

Shadow endpoints from a standalone VNC client

OS-en-VNC.jpg

Most people find the methods above (from NoTouch Center) and below (user-initiated) very comfortable. In some situations, you may want to use a standalone VNC client to connect to the endpoint systems. The clients can actually launch a VNC server, not just on request by NoTouch Center, but as a background service. In that situation, you must also set a shadowing password.

The following modes are available:

  • off. The VNC server is not started by default (only when NoTouch Center issues a shadowing request).
  • on/once. The VNC server will start at boot time, allow exactly one connection, and then terminate.
  • on/only one. The VNC server will start at boot time, allow exactly one simultaneous connection.
  • on/replace. The VNC server will start at boot time, and any subsequent new connection from a VNC connection will terminate the existing connection.
  • on/shared. The VNC server will start at boot time, and multiple VNC clients can connect and all see and work on the same screen.

The parameters offering these modes are:

  • In NoTouch Center, parameter "Session shadowing" among the Desktop Settings' Connection parameters
  • On the endpoint, "Services" -> "Screen shadowing", the parameter is called "Mode".

The parameter "Shadowing password" allows the user to set the password that will be specifically used for standalone VNC. It must be set, otherwise, the standalone VNC server will not start. Older NoTouch versions that do not have this parameter use the normal admin password instead.

The parameter "Shadowing TCP port" allows the user to set the TCP port that will be opened in VNC server. It must be set, otherwise, you can not connect to VNC server.


Windows users may find a freeware VNC viewer here: TightVNC download page

User-initiated shadowing with TeamViewer

Client-en-Teamviewer.jpg

We also support TeamViewer for user-initiated screen sharing/conferencing, but then the helpdesk person or sysadmin must have a licensed TeamViewer on his/her PC, and the TeamViewer binaries first need to be supplied to the clients since it's not included by default - more information about this mechanism could be found here: TeamViewer

There are two ways how you can allow your users to launch TeamViewer:

  • You can create a TeamViewer connection, available for your users to be started by clicking on it,
  • or via the TeamViewer hotkey (by default Ctrl-Alt-t).

The TeamViewer application will launch and display connection id and passcode - both have to be passed on the helping person via telephone, chat, email.

TeamViewer can do much more than just view the remote screen, it supports audio, file transfer, and even webcams.

The TeamViewer client is only allowed to receive connections from a licensed TeamViewer installation (helpdesk, sysadmin). It can do outgoing connections for test and demonstration, subject to restrictions (five minutes maximum connection length), but it is really meant to be for incoming connections only.

Security considerations

NoTouch uses an X11-based VNC server without encryption (x11vnc). It use a scrambling technique to protect the passwords sent over the wire, but the actual VNC connection is unencrypted. Thus, over the open Internet we advise to rather use Teamviewer (if you choose to trust Teamviewer).

Running a standalone VNC server opens a TCP port and requires you to rely on x11vnc's security. We advise people to NOT keep the standalone VNC server running all the time as this would require you to trust both the password and the actual x11vnc version. It could have bugs that could be exploited from remote.

NoTouch Center starts up the VNC server on demand and uses an autogenerated random password. Earlier versions used the client administrator password.