Vector PC-Duo Gateway, PC-Duo 12.0 User Manual
PC-Duo Gateway Server Guide
Release 12.0
February 2012
Vector Networks Technologies
541 Tenth Street, Unit 123
Atlanta, GA 30318
(800) 330-5035
http://www.vector-networks.com
© Copyright 2012 Vector Networks Technologies and Proxy Networks, Inc. All rights reserved.
PC-Duo is a trademark of Vector Networks Technologies, and PROXY is a trademark of Proxy
Networks, Inc. Microsoft, Windows, Windows NT, Windows Server, and other Microsoft products
referenced herein are either trademarks or registered trademarks of the Microsoft Corporation in the
United States and other countries. Novell and NetWare are registered trademarks of Novell, Inc. All
other trademarks are the property of their respective owners.
This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit
(http://www.openssl.org), cryptographic software written by Eric Young (eay@cryptsoft.com), and
compression software from the ZLIB project (http://www.zlib.net/).
PC-Duo Gateway Server Guide
Table of Contents
PC-Duo overview .......................................................................................................................................... 5
What‘s New in PC-Duo 12.0 ...................................................................................................................... 6
What‘s New in PC-Duo 11.6 .................................................................................................................. 6
What‘s New in PC-Duo 11.3 .................................................................................................................. 7
What's New in PC-Duo 11.2 .................................................................................................................. 7
PC-Duo solutions ....................................................................................................................................... 8
PC-Duo Express .................................................................................................................................... 8
PC-Duo Enterprise ................................................................................................................................. 8
PC-Duo applications .................................................................................................................................. 9
PC-Duo Host ........................................................................................................................................ 10
PC-Duo Master .................................................................................................................................... 11
PC-Duo Gateway ................................................................................................................................. 12
PC-Duo Web Console.......................................................................................................................... 13
PC-Duo Deployment Tool .................................................................................................................... 14
PC-Duo technologies ............................................................................................................................... 15
PC-Duo services ...................................................................................................................................... 16
PC-Duo connection types ........................................................................................................................ 17
RDP compatibility: Follow the active session ...................................................................................... 17
Wake-on-LAN support ......................................................................................................................... 17
Peer-to-peer connections .................................................................................................................... 18
Gateway-managed connections .......................................................................................................... 19
Firewall-friendly connections ............................................................................................................... 20
Terminal services connections ............................................................................................................ 20
VNC connections ................................................................................................................................. 22
PC-Duo security features ........................................................................................................................ 23
Authentication ...................................................................................................................................... 23
Authorization ........................................................................................................................................ 26
Auditing ................................................................................................................................................ 26
Encryption ............................................................................................................................................ 26
PC-Duo networking features ................................................................................................................... 28
Network protocols ................................................................................................................................ 28
Network addressing schemas .............................................................................................................. 28
PC-Duo documentation and technical support ........................................................................................ 29
2
PC-Duo Overview
Typographical conventions in documentation ..................................................................................... 29
Technical support options .................................................................................................................... 30
Gateway Installation .................................................................................................................................... 31
Requirements .......................................................................................................................................... 32
Operating system requirements ........................................................................................................... 32
Hardware requirements ....................................................................................................................... 32
Installation requirements ...................................................................................................................... 32
Screen recording requirements ........................................................................................................... 32
Network requirements .......................................................................................................................... 33
Configuration options ............................................................................................................................... 34
Installation notes ...................................................................................................................................... 35
Install via internet download ................................................................................................................ 35
Windows Firewall exceptions ............................................................................................................... 35
Gateway service accounts....................................................................................................................... 36
Use the default service account ........................................................................................................... 36
Use a different service account ........................................................................................................... 36
Use shared screen password authentication ....................................................................................... 36
SSL certificates ........................................................................................................................................ 38
Select a previously installed certificate ................................................................................................ 39
Create and install a self-signed server certificate ................................................................................ 39
Create a certificate request for a certificate authority .......................................................................... 40
Cancel pending request to a certificate authority ................................................................................ 40
Install a certificate created by a certificate authority ............................................................................ 40
Remove selected certificate from Gateway ......................................................................................... 41
View Certificate .................................................................................................................................... 41
Licensing.................................................................................................................................................. 44
Add a license key before your trial period expires ............................................................................... 44
Add a license key after your trial period expires .................................................................................. 45
Upgrade a license key ......................................................................................................................... 45
Gateway Operation ..................................................................................................................................... 46
Start the Gateway .................................................................................................................................... 47
Run the Gateway Administrator .............................................................................................................. 48
Configure security through the Gateway ................................................................................................. 49
Configure the Gateway ............................................................................................................................ 50
Gateway Configuration ................................................................................................................................ 52
Remote Control Gateway servers ........................................................................................................... 53
Add a Gateway .................................................................................................................................... 53
3
PC-Duo Gateway Server Guide
Connect/Disconnect ............................................................................................................................. 54
About the product ................................................................................................................................. 54
Web menu ............................................................................................................................................ 54
View ..................................................................................................................................................... 54
Export List ............................................................................................................................................ 54
Gateway connection properties ........................................................................................................... 54
Gateway Server Settings ......................................................................................................................... 58
General Settings .................................................................................................................................. 58
Polling for Hosts ................................................................................................................................... 82
Gateway Security ................................................................................................................................. 87
Managed Hosts ....................................................................................................................................... 95
Menu options ....................................................................................................................................... 95
Send Wake-on-LAN Signal .................................................................................................................. 97
All Hosts group ..................................................................................................................................... 97
Manage groups .................................................................................................................................... 98
Manage Hosts .................................................................................................................................... 109
Terminal Services group .................................................................................................................... 124
System group ..................................................................................................................................... 125
Unmanaged Hosts ................................................................................................................................. 129
Active Status .......................................................................................................................................... 130
Active Users ....................................................................................................................................... 130
Active Gateway Data Services .......................................................................................................... 130
Active Master Connection Services ................................................................................................... 131
Active Hosts ....................................................................................................................................... 131
Active Recordings .............................................................................................................................. 132
Reverse Connections......................................................................................................................... 132
Pending Host Status Updates ............................................................................................................ 133
Help ....................................................................................................................................................... 134
About PC-Duo Gateway..................................................................................................................... 134
Gateway Event Messages ........................................................................................................................ 135
4
PC-Duo Overview
PC-Duo overview
Thank you for selecting PC-Duo remote desktop solutions.
PC-Duo remote desktop solutions provide professional features that enable helpdesk
technicians, network administrators, IT managers, and software trainers to deliver
professional remote support for a fraction of the cost of hosted solutions.
Some selected features include:
Remote Access: Reach anyone, anywhere, anytime using firewall- and NAT-friendly
remote control connections.
Remote Control: Diagnose and resolve support issues without having to physically
visit remote computer.
Remote Management: Repair remote computers and make configuration changes in
real-time and without disturbing currently logged-on user.
Collaboration: Enable two or more technicians to work on the same remote computer
at the same time using chat, screen-sharing and easy-to-pass remote support.
NOTE: Before you use PC-Duo remote desktop solutions, you should be familiar with
basic network concepts, such as protocols, encryption, IP addresses, ports, and subnets.
To learn more about PC-Duo remote desktop solutions, see:
"What's New"
"PC-Duo solutions"
"PC-Duo applications"
"PC-Duo technologies"
"PC-Duo services"
"PC-Duo connection types"
"PC-Duo security features"
"PC-Duo networking features"
"PC-Duo documentation and technical support"
5
PC-Duo Gateway Server Guide
What’s New in PC-Duo 12.0
PC-Duo 12.0 introduces the following new features and capabilities:
Web Console: A new server-side application that enables browser-based access to
the Gateway Server (see PC-Duo Web Console Operating Guide)
“Click Once” Remote Desktop Window: Ability to launch a Remote Desktop
Window to a remote desktop through the Web Console without a Master. No
administrative rights needed and no reboot required (see PC-Duo Web Console
Operating Guide)
Citrix XenApp support: Option to restrict injection of Terminal Services Host
instances into ―desktop‖ sessions only, and not into ―application‖ sessions (see PC-Duo
Host Guide)
Kernel-mode Screen Capture driver: The kernel-mode screen capture driver is now
available for Windows 7, Vista and Windows 2008 Server. In many situations, the kernelmode screen capture driver will outperform the default user-mode screen capture driver
(see PC-Duo Host Guide)
Input Suppression: Ability to turn off keyboard and mouse input on the remote
desktop machine for Windows 7, Vista and Windows 2008 Server (see PC-Duo Master
Guide)
Assignment of Hosts: Ability to automate the assignment of Hosts to custom
Gateway Groups using Windows Powershell scripting (see PC-Duo Host Guide)
Address Bindings: Ability to bind the SSL and TCP network protocols to all
addresses or to select specific addresses on the Gateway Server (see Address Bindings)
What’s New in PC-Duo 11.6
Windows 7 support: PC-Duo 11.6 provides full support (remote access, remote
control, remote management) for Windows 7 computers, including 32- and 64-bit
platforms.
Windows Server 2008 R2 support: PC-Duo 11.6 provides full support (remote
access, remote control, remote management) for Windows Server 2008 R2 computers
(64-bit platforms only).
Mac, Linux support: PC-Duo 11.6 provides support (remote access, remote control)
for Macintosh and Linux computers running VNC server software (standard on Macs).
Wake-on-LAN support: PC-Duo 11.6 includes ability to turn on remote computers
that are configured to listen for Wake-on-LAN signal.
Remote Power Scheme management: PC-Duo 11.6 includes new remote
management tools that allows Master user to view and change power scheme settings on
remote computers.
Screen Recording Playback via URL: PC-Duo 11.6 includes ability for Master to
playback a PC-Duo screen recording from a standard web server over HTTP or HTTPS.
RDP compatibility: If a remote computer is hosting an active RDP session, PC-Duo
11.6 Host will capture and provide input control to the RDP session.
6
PC-Duo Overview
Active Directory integration: PC-Duo 11.6 Deployment Tool can now be used to
discover computers and OUs in Active Directory domains, install new PC-Duo software,
upgrade existing software, and/or push configuration changes to existing software.
What’s New in PC-Duo 11.3
Remote Management service: PC-Duo 11.3 features a new service that allows
Master user to generate inventory of hardware and software assets on a remote Host.
Also allows Master user to query and change certain system settings.
Terminal Services support: PC-Duo 11.3 supports server-side Hosts for thin client,
terminal services sessions for Citrix XenApp (formerly Citrix Presentation Server) and
Windows Terminal Server.
User-Mode Screen Capture optimization: PC-Duo 11.3 includes significant
performance and reliability enhancements for user-mode screen capture technology
introduced in PC-Duo 11.2.
What's New in PC-Duo 11.2
PC-Duo 11.2 introduced the following new features and capabilities:
Windows Vista and Server 2008 support: PC-Duo 11.2 applications (Host, Master,
Gateway, Deployment Tool) now run on Windows Vista and Windows Server 2008
operating systems.
NOTE: PC-Duo 11.2 introduces a new screen capture technology (user-mode) for
Windows Vista and Windows Server 2008 platforms.
Bandwidth throttling: PC-Duo 11.2 allows screen capture settings to be modified in
order to reduce the amount of bandwidth used. Usually, this will reduce screen capture
quality but improve responsiveness and overall performance (see PC-Duo Host Guide for
more information).
Popup notifications: PC-Duo 11.2 supports popup "toast" notifications when
connections are established to remote computers (see PC-Duo Host Guide for more
information).
Send keystroke button: PC-Duo 11.2 now provides a new toolbar button on the
Master Remote Desktop Window, which can be configured to send Ctrl+Alt+Del or one of
the other available keyboard combinations to remote computer (see PC-Duo Master
Guide for more information).
Host-based chat: PC-Duo 11.2 introduces support for Host-based chat. This new
service automatically creates a private chat room including Host user and any technicians
connected to the Host. Technicians can see and participate in multiple chat rooms
simultaneously (see PC-Duo Master Guide for more information).
File transfer resume: Occasionally, a file transfer operation is interrupted when a
connection is lost. PC-Duo 11.2 introduces the ability to resume interrupted file transfers
exactly from the point of interruption (see PC-Duo Master Guide for more information).
Windows Media format support: PC-Duo screen recording files are produced in a
streamlined, proprietary format and play back in a viewer provided with PC-Duo Master.
PC-Duo 11.2 introduces a new utility to enable technicians to convert PC-Duo screen
recording files into Windows Media format for play back in WM-compatible players and
editing in off-the-shelf media tools (see PC-Duo Master Guide for more information).
7
PC-Duo Gateway Server Guide
PC-Duo Features
PC-Duo Express
PC-Duo
Enterprise
Components
PC-Duo Host
Yes
Yes
PC-Duo Master
Yes
Yes
PC-Duo Gateway
No
Yes
PC-Duo Web Console
No
Yes
PC-Duo Deployment Tool
Yes
Yes
Connection Types
Peer-to-peer connections
Yes
Yes
Gateway-managed connections
No
Yes
Firewall-friendly connections
No
Yes
Terminal services connections
No
Yes
VNC connections
Yes
No
PC-Duo solutions
Vector Networks provides two solutions for remote desktop support:
PC-Duo Express
PC-Duo Express is an easy-to-use remote desktop solution that uses simple peer-to-peer
connections between helpdesk technicians and end-user remote computers. It is ideally
suited for smaller companies and workgroups in which the number of remote computers
being supported is small and manageable.
PC-Duo Enterprise
PC-Duo Enterprise is an enterprise-class remote desktop solution that uses a robust,
scalable server to establish and maintain a secure network of connections to end-user
machines. It leverages centralized administration, security and network access to simplify
and automate the creation, management, and monitoring of this ―network within a
network‖. PC-Duo Enterprise is ideally suited for enterprises and corporate workgroups
with large numbers of remote computers, multiple domains and/or employees with
remote computers outside the network.
8
PC-Duo Overview
PC-Duo Applications
PC-Duo Express
PC-Duo
Enterprise
PC-Duo Host
Yes
Yes
PC-Duo Master
Yes
Yes
PC-Duo Gateway
No
Yes
PC-Duo Web Console
No
Yes
PC-Duo Deployment Tool
Yes
Yes
PC-Duo applications
The PC-Duo remote desktop solutions include some or all of the following applications:
9
PC-Duo Gateway Server Guide
PC-Duo Host
PC-Duo Host is an agent application that enables remote support connections to be
established to the machine on which it runs. By installing PC-Duo Host on a computer in
your network, you can:
Allow technicians to make peer-to-peer remote control connections to the machine,
whether someone is there or not. Each Host manages its own security settings and
access rights.
Allow or force technicians to make Gateway-managed remote support connections to
the machine through a central server (PC-Duo Gateway), which will automatically enforce
security settings and access rights according to policies set at the server.
PC-Duo Host can now be installed in server-side terminal sessions for application
virtualization solutions such as Citrix XenApp and Microsoft Terminal Server.
For more information about configuring and operating PC-Duo Host, please see the PC-
Duo Host Guide.
10
PC-Duo Overview
PC-Duo Master
PC-Duo Master is a console application that technicians can use to establish remote
support connections to one or more Host computers. With PC-Duo Master, you can:
Make one or more peer-to-peer remote support connections to Host computers in your
network.
Connect to PC-Duo Gateway and make one or more Gateway-managed remote
support connections to Host computers from a directory of available Hosts.
View the entire screen of the remote computer.
Take complete control of a Host computer using the local keyboard and mouse.
Share control of the Host computer with its end-user.
Passively monitor the Host computer without exercising control.
Use the clipboard transfer feature to transfer portions of text, bitmaps, and other
objects between your Host and Master computers.
Use the PC-Duo file transfer feature to copy files between your Host and Master
computers.
Use the PC-Duo remote printing feature to print locally from applications running on a
remote computer.
Record screen activity on the Host and play back the recording on the Master.
Chat with end-user and any other technicians connected to the same Host.
For more information about configuring and operating PC-Duo Master, please see the
PC-Duo Master Guide.
11
PC-Duo Gateway Server Guide
PC-Duo Gateway
PC-Duo Gateway is an enterprise class server, which provides centralized administration,
security and management for a network of remote support connections to Host
computers in your environment.
With PC-Duo Gateway configured as the hub of your remote support network, you can:
Organize large numbers of Host computers into logical groups for easier access and
management.
Reach remote computers outside the network, behind firewalls or NAT-devices.
Utilize SSL for certificate-based authentication.
Create custom access rights policies and apply them to groups to make configuration
changes more quickly and efficiently.
Monitor and manage remote support activity in real-time.
Keep detailed records of all remote support activity in your network with
comprehensive audit logs.
Record screen activity on one or more remote computers simultaneously using PC-
Duo Gateway‘s screen recording feature.
PC-Duo Gateway includes the PC-Duo Gateway Administrator, a tool for configuring the
Gateway and for monitoring, managing and auditing remote support activity in your
network.
For more information about configuring and operating PC-Duo Gateway, please see the
PC-Duo Gateway Server Guide.
12
PC-Duo Overview
PC-Duo Web Console
PC-Duo Web Console is a web application that provides browser-based access to the
PC-Duo Gateway Server.
With PC-Duo Web Console:
Administrators can access and edit all the configuration information on the Gateway
Server, including Groups, Security, Permissions, etc. The Administrative web account
can be used in conjunction with or instead of the standalone Gateway Administrator
application.
Helpdesk technicians can view and access and remote machines that they have
permission to view. The Master web account can be used in conjunction with or instead
of the standalone Master application.
Regular employees can view and access their computers at work, even if they are on
the road or at home. The Personal web account offers convenient, secure, reliable
alternative to VPN.
For more information about configuring and operating PC-Duo Web Console, please see
the PC-Duo Web Console Operating Guide.
For more information about installing PC-Duo Web Console, please see the PC-Duo Web
Console Installation Guide.
13
PC-Duo Gateway Server Guide
PC-Duo Deployment Tool
PC-Duo Deployment Tool is an easy-to-use software distribution utility that automates the
deployment and installation of PC-Duo applications to remote computers in your network.
With PC-Duo Deployment Tool, you can:
Automatically deploy an image of PC-Duo Host, Master or Gateway to one or more
computers or groups of computers in your network and avoid manual effort of going to
each machine.
Create an image of PC-Duo Host, Master or Gateway with custom configuration
options that can be mass deployed on large numbers of computers in your environment.
Create and push custom configuration options for PC-Duo Host, Master or Gateway,
without having to reinstall underlying software.
Use Active Directory to find remote computers and push software and configuration
settings to them.
For more information about configuring and operating PC-Duo Deployment Tool, please
see the PC-Duo Deployment Tool Guide.
14
PC-Duo Overview
PC-Duo technologies
PC-Duo remote desktop solutions utilize highly optimized technologies to deliver speed,
performance and reliability, including:
Highly efficient screen capture algorithms. PC-Duo utilizes two kinds of screen
capture technology:
Kernel-mode screen capture. This technology utilizes the PC-Duo mirror driver,
which reproduces graphics drawing commands from the remote Host on the PCDuo Master user‘s screen quickly and efficiently.
User-mode screen capture. This technology works without a mirror driver and is
designed to adjust automatically to the amount of CPU and bandwidth available on
the remote Host machine.
Streamlined communication protocol. The PC-Duo protocol has been honed over
15 years for efficiency and reliability when sending screen capture data to another
computer in real-time and receiving keyboard/mouse input.
Using these technologies, PC-Duo remote support solutions enable technicians to find
and fix problems on remote computers faster and easier than ever before.
15
PC-Duo Gateway Server Guide
PC-Duo services
PC-Duo remote desktop solutions offer technicians a number of professional-quality
services for investigating and solving problems on Host remote computers, including:
Remote Control: ability to view screen activity on an end-user‘s remote machine, and
with proper authorization, take control of and send keyboard/mouse inputs to the remote
machine in real-time
Remote Clipboard: ability to copy selected items on the screen of a remote machine
into the clipboard on the remote machine and transfer the contents to the clipboard on
the technician‘s machine, and vice versa
File Transfer: ability to drag-and-drop files or directories on the remote machine to
the technician‘s machine, and vice versa
Host-based Chat: ability to chat with the end-user on a remote machine, and any
other technicians connected to that machine
Remote Printing: ability to print selected items from the remote machine to a printer
attached to the technician‘s machine
Host Administration: ability to view and edit configuration settings of the PC-Duo
Host installed on the remote machine
Remote Management: ability to generate inventory of hardware and software assets
on remote machine, and to query and change certain system settings. See "Remote
Management features" for more information about tools available through this service.
16
PC-Duo Overview
PC-Duo Connection Types
PC-Duo Express
PC-Duo
Enterprise
Peer-to-peer connections
Yes
Yes
Gateway-managed connections
No
Yes
Firewall-friendly connections
No
Yes
Terminal services connections
No
Yes
VNC connections
Yes
No
PC-Duo connection types
PC-Duo services are performed over service connections between a PC-Duo Master
(with appropriate access rights) and a PC-Duo Host. Service connections are established
on demand, when a PC-Duo Master requests a service from a PC-Duo Host.
PC-Duo supports several different types of remote access connections:
RDP compatibility: Follow the active session
PC-Duo connections can be used to share an active RDP session in real-time.
If PC-Duo Host is running on a desktop-class operating system (e.g. Windows XP or
Vista), and there is an active/connected RDP session being hosted on that computer,
then the Host will automatically capture and provide input control to that RDP session. In
essence, the Host will capture what the remote RDP session user is seeing, not what the
local physical console on that machine is showing (probably the Windows login screen).
When there is no active/connected RDP session being hosted on that computer, or if an
active/connected RDP session is stopped, the Host will automatically capture and provide
input control to the session running on the computer and being displayed on the local
console. The Host will follow the active session as it moves from RDP user back to the
local console.
Note: This feature only applies to desktop-class operating systems, which support only
one active session at a time. Server-class operating systems (e.g. Windows Server 2003
or Server 2008) can support multiple sessions simultaneously via Terminal Services; use
the Terminal Services support in the Host to capture and/or provide input control to one
or more sessions on server-class OS.
Wake-on-LAN support
PC-Duo can be used to "wake-up" remote computers that have been shut down
(sleeping, hibernating, or soft off; i.e., ACPI state G1 or G2), with power reserved for the
network card, but not disconnected from its power source. The network card listens for a
specific packet containing its MAC address, called the magic packet, that is broadcast on
the subnet or LAN.
In order to execute this feature, both the MAC address and the last known IP address of
the remote computer must be known. Since the PC-Duo Gateway knows both of these
pieces of information, it is in a position to send the Wake-on-LAN signal.
17
PC-Duo Gateway Server Guide
PC-Duo implements this functionality in Gateway-managed connections in two ways:
Implicit Wake-on-LAN: If Gateway is asked to make a connection to a remote
computer and the last status indicates that the remote computer is "Offline", the Gateway
will automatically attempt to wake up the remote computer by sending appropriately
configured WOL signal. If the remote computer was shut down in a state capable of
receiving WOL signal, it will wake up and report to the Gateway and a connection will be
established.
Explicit Wake-on-LAN: A network administrator, using either PC-Duo Master or PC-
Duo Gateway Administrator, can attempt to wake up a remote computer by explicitly
sending the WOL signal to that machine. If the remote computer was shut down in a state
capable of receiving WOL signal, it will wake up and report to the Gateway and a
connection will be established.
See "Send Wake-on-LAN Signal" in the PC-Duo Master Guide for more information.
Peer-to-peer connections
When a computer with PC-Duo Master establishes a direct connection to a computer with
PC-Duo Host, the connection that is established is a peer-to-peer connection.
By default, PC-Duo Master searches the network for Host computers when it starts up.
Any Host computers it finds are listed on the Peer-to-Peer Hosts tab of the PC-Duo Master
window.
Peer-to-peer connections from Master (M) to Host (H)
18
PC-Duo Overview
The dotted and solid lines, shown in above depict two different sets of peer-to-peer
connections between PC-Duo Masters to PC-Duo Hosts. PC-Duo‘s peer-to-peer
connections enable the following:
PC-Duo Master users with proper credentials can securely access Host computers
within the network.
When you permit full access to a Host computer, the PC-Duo Master user can monitor
all activity on the Host computer. In addition, PC-Duo Master users with full access rights
can exercise complete control over that computer.
When the Host and Masters are in the same domain, PC-Duo Host can be configured
to use the Microsoft Windows authentication service to check credentials of any PC-Duo
Master users. An access control policy can allow (or deny) full or partial access for
authenticated PC-Duo Master users to access services on a Host computer.
Although PC-Duo‘s peer-to-peer connections provide a secure solution for remote
support, this solution is not recommended for large and/or highly distributed networks;
instead, consider using PC-Duo Gateway for centrally managed remote support
connections.
Gateway-managed connections
When a computer with PC-Duo Master establishes a connection to a computer with PCDuo Host through a central server (i.e. PC-Duo Gateway), the connection that is
established is a Gateway-managed connection. In this way, the Gateway serves as a
central location for managing and monitoring connections, configuration, security and
reporting. Any Host computers found by the Gateway are listed on the Gateway Hosts tab
of the PC-Duo Master window.
In large networks, the PC-Duo Gateway can be configured to manage connections with
hundreds or thousands of Hosts simultaneously, enabling Masters to find and take
control of Hosts instantly.
Gateway-managed connections utilize the same strong authentication and authorization
that is available with PC-Duo‘s peer-to-peer connections. In addition, PC-Duo Gateway
provides the following capabilities:
Seamless connections from Master computers to Host computers through a PC-Duo
Gateway. To the PC-Duo Master user, the connection appears as if it were a peer-topeer connection to the Host computer, even if the Host is outside the domain and/or
behind a firewall or NAT device.
Centralized management of access rights to remote computers in your network. Once
you configure your Host computers to report to the PC-Duo Gateway, you can achieve
global management through a single security policy that you configure using PC-Duo
Gateway Administrator.
User-based access policies. Customize and apply access policies to individual PC-
Duo Master users or groups in your network. Allow full remote access to one or more
Host computers for some PC-Duo Master users, while restricting access rights for others.
Comprehensive logging and auditing of all remote control activity within your network.
With this feature, you can keep records of all remote support connections.
Continuous screen recording. PC-Duo Gateway allows you to record screen activity
on any remote Host. Efficient file compression makes 24x7 recording economical and
manageable.
19
PC-Duo Gateway Server Guide
Gateway (G)-managed connections from Master (M) to Host (H)
.
Firewall-friendly connections
When PC-Duo Master users need access to Hosts that are outside the domain, and/or
behind a firewall or NAT-device, normal peer-to-peer or Gateway-managed connections
will not work. In these cases, it is difficult to find and maintain a secure remote support
connection because of dynamic port assignments and other network challenges.
For these situations, PC-Duo Gateway builds special firewall-friendly connections to
these Hosts. When Hosts are outside the domain, the Hosts are programmed to
automatically initiate contact with the Gateway. The Gateway will use this initial contact to
build a firewall-friendly connection to the Host. In this way, the remote Host outside the
domain will appear just like any Host inside the domain.
Terminal services connections
PC-Duo provides server-side support (screen capture, input control, screen recording) for
session-based virtual desktops hosted by Terminal Services on Windows Server 2003 or
Window Server 2008 (now called "Remote Desktop Services"). Windows Server creates
and hosts the Terminal Services (TS) sessions like virtual machines. A presentation
technology using a display protocol such as RDP from Microsoft or ICA from Citrix is
typically used to remote the session display, as well as the keyboard and mouse input, to
and from an end user device (such as a thin client computer like a Wyse terminal).
PC-Duo allows technicians to capture (and if desired, record) the session presentation
information at the Windows Server before it is remoted to the end user device over the
RDP or ICA display protocol. PC-Duo is able to do this by injecting a Host instance into
each server-side TS session, which in turn captures and sends presentation information
20
PC-Duo Overview
directly to PC-Duo Gateway for recording and/or further transmission to a PC-Duo
Master.
Note: Because TS sessions are captured at the Windows Server (and not at the end user
device), PC-Duo Host effectively bypasses the technology used to remote the sessions to
the end users, and will therefore be compatible with Microsoft Terminal Services clients
as well as Citrix Presentation Server (now known as XenApp) clients.
Note: PC-Duo only supports TS sessions created on server-class Windows operating
systems such as Windows Server 2003 and Windows Server 2008.
See Terminal Services tab in PC-Duo Host Guide for more specific configuration and
setup information.
Root Host for TS sessions
The ―Terminal Services‖ feature of Windows Server 2003 and Windows Server 2008
allows multiple virtual desktop sessions to be active simultaneously. PC-Duo provides
remote access and remote control to these sessions on the Windows Server by injecting
a separate instance of the Host service into every new TS session. A special version of
the Host called the "root" Host must be loaded on the TS server (a "root" Host is a
standard Host with a special TS license key - see About tab in the PC-Duo Host Guide
for more information); it will automatically spawn new Host instances every time a new
TS session is created.
Transient Hosts
Each TS instance of the Host will have its own unique workstationID and must be
configured to report to a Gateway. When it first reports to the Gateway Server, it will be
automatically managed and added to the ―All Hosts‖ group. The TS Hosts are considered
transient, since they go away when the TS user logs out of his/her session. In order to
keep track of transient TS Hosts, the PC-Duo Gateway will create a new Group called
"Terminal Services on <Servername>", and automatically insert transient Hosts into this
Group. They are automatically deleted from the Gateway when the TS session ends. The
main purpose of this Group is to allow security to be assigned to the Hosts and TS
sessions that belong to this Group, and to provide the correct and appropriate access to
the TS-based Host instances.
Note: PC-Duo Host for Terminal Services works on Server 2003 & Server 2008, and
requires a Gateway Server v11.3 or later.
Recording TS Hosts
Recordings are normally deleted from the Gateway database when their associated
workstation record is deleted. Transient TS Host workstation records are automatically
deleted from the Gateway when the TS user logs out of his/her session. However, to
prevent recordings of TS Hosts from being automatically deleted when the TS session
ends, the TS session recordings are reassigned to an artificial permanent workstation
record called "Recordings on <Servername>". All recordings of all TS Hosts on a given
TS server will be associated with this one record. This approach has the following
advantages:
Recordings are not orphaned
All recordings can be kept in one place,
TS recordings can be kept separate from console (root Host) recordings
Security can be configured separately for each recording.
21
PC-Duo Gateway Server Guide
Limitations of TS Hosts
Due to technical limitations and the nature of Terminal Services sessions, the following
Host features are not supported.
Remote printing
Keyboard and mouse suppression (requires kernel-based input stack intercept)
Screen blanking (requires kernel-based support and physical display to blank)
Peer-to-peer connections: all protocols are disabled, and the only connections that
can be made are through a configured Gateway Server
Kernel-mode screen capture (even on Windows Server 2003, requires kernel-mode
display support)
VNC connections
PC-Duo provides remote access and remote control to computers running a standard
version of VNC (Virtual Network Computing) server. A VNC server is built into recent
versions of the Mac OS X operating system from Apple Computer, and is also available
on many versions of the Linux operating system. When properly configured, technicians
can use PC-Duo Master on Windows to connect to and take control of Mac and Linux
computers running standard VNC server.
PC-Duo currently supports peer-to-peer connections to VNC servers. Support for
Gateway-managed connections to VNC servers is expected in the next release.
See "VNC Hosts" in the PC-Duo Master Guide for more information on configuring and
connecting to VNC servers.
Supported Platforms
PC-Duo Master can interoperate with standard VNC servers on following platforms:
Mac OS X v10.5-10.7
Red Hat Linux Fedora 11-16
22
PC-Duo Overview
Connection
Client
Server
Peer-to-peer
Master
Host
Gateway-managed (Gateway & Host are in same domain)
Master-Gateway relationship
Master
Gateway
Gateway-Host relationship
Gateway
Host
Gateway-managed (Gateway & Host are not in same domain)
Master-Gateway relationship
Master
Gateway
Gateway-Host relationship
Host
Gateway
PC-Duo security features
One of the most valuable aspects of PC-Duo remote desktop solutions is the ability to
create and enforce fine-grained access control policies, and to easily modify them to
reflect changes in your organization.
PC-Duo security features include the following:
―Authentication‖
―Authorization‖
―Auditing‖
―Encryption‖
Authentication
In the PC-Duo model, PC-Duo applications that request information and services are
considered ―clients‖ and those that provide information and services are considered
―servers‖. For example, the PC-Duo Master is considered a client when it connects to and
requests a list of Hosts from a PC-Duo Gateway. In turn, the PC-Duo Gateway is
considered a client when it connects to and requests information from a PC-Duo Host in
the same domain.
When PC-Duo Host is not in the same domain as the Gateway, the relationship is
automatically reversed: The Host is programmed to be the client and will reach out to the
Gateway (see ―Firewall-friendly connections‖ for more information about PC-Duo firewallfriendly connections).
To guarantee security in the PC-Duo environment, it is critical that PC-Duo components
acting as servers validate the credentials of users of PC-Duo components acting as
clients before they provide access or data. The burden is placed on the client to
23
PC-Duo Gateway Server Guide
Connection
Windows
authentication
Simple
password
Sharedsecret
password
Peer-to-peer
Yes
Yes
No
Gateway-managed (Gateway & Host are in same domain)
Master-Gateway
relationship
Yes
No
No
Gateway-Host relationship
Yes
No
Yes
Gateway-managed (Gateway & Host are not in same domain)
Master-Gateway
relationship
Yes
No
No
Gateway-Host relationship
No
No
Yes
authenticate itself to the server. PC-Duo implements two types of authentication to
support this:
―Identity Authentication‖
―Endpoint Authentication‖
Identity Authentication
In general, this operation answers the following security question: How does the server
know who the client is? A PC-Duo application acting as a server will not provide access
or information to any PC-Duo application acting as a client until it can validate that client‘s
identity. PC-Duo provides the server three different methods of authenticating the identity
of the PC-Duo client:
Windows authentication: By default, a PC-Duo application acting as a server uses
Windows authentication to check the Windows credentials of the client application:
The Host will check the Windows credentials of the PC-Duo Master user in
the case of a peer-to-peer connection;
The Gateway will check the Windows credentials of the PC-Duo Master users
in the Master-Gateway part of a Gateway-managed connection;
The Host will check the Windows credentials of the user logged into the
Gateway in the Gateway-Host part of a Gateway-managed connection (when
Host and Gateway are in the same domain).
NOTE: If Host and Gateway are not in the same domain, Windows authentication will not
usually be available. In that case, Host and Gateway will rely on Shared secret password.
Simple password: Prior to making a connection, a custom password can be created
on the Security tab of the Host and shared with PC-Duo Master user. This feature permits
24
PC-Duo Overview
the PC-Duo Master user to connect to a Host without regard to PC-Duo Master user‘s
Windows credentials.
NOTE: Simple password applies only to peer-to-peer connections.
Shared secret password: In the case that the Host does not share a domain
relationship with the PC-Duo Gateway, or if the Host is outside of the network and cannot
contact its domain controller, Windows authentication will not usually be available. Behind
the scenes, the PC-Duo Gateway and the Host will exchange a 16-byte secret password
that only they will know. As a result, in all subsequent connections, the PC-Duo Gateway
and Host will have some measure of authentication when they are not in the same
domain. If the Host belongs to the same domain as the PC-Duo Gateway, and the Host is
able to reach a domain controller, the Host will prefer to do Windows authentication
instead of shared secret password.
Endpoint Authentication
In general, this operation answers the following security question: How does the client
know it is connected to the right server? Identity authentication doesn't prohibit the client
from being fooled into connecting to a different server. In order to guarantee that
information and services are coming from the expected server, PC-Duo supports
endpoint authentication using Secure Sockets Layer (SSL).
SSL certificate authentication (PC-Duo Gateway only): PC-Duo has implemented
server endpoint authentication using SSL, which means the client will request and
validate a certificate from the server before providing requested information or services.
This ensures the client has connected to the right server. The following list describes
where SSL authentication can and cannot be used:
Peer-to-peer connections: SSL authentication is not available for peer-to-peer
connections. This would require each Host (acting as server) to carry its own
certificate, which would be unwieldy and costly to manage.
Gateway-managed connections (Host is in same domain as Gateway): SSL
authentication is available between Master (acting as client) and Gateway (acting
as server). Before connecting, the Master will request and validate a certificate
from the Gateway. In general, SSL between Master and Gateway would be most
useful when the Master is outside the LAN and/or coming in through a corporate
firewall to access the Gateway.
NOTE: SSL authentication is not available between the Gateway (acting as client) and the
Host (acting as server). As in peer-to-peer connections, this would require each Host to
carry its own certificate. SSL connections to the Host are generally not required because
the Host can be configured to use a reverse connection to the Gateway, which can use
SSL.
Gateway-managed connections (Host is not in same domain as Gateway):
When the Host is outside the LAN and/or behind a firewall or NAT-device, the Host
is the client and has responsibility to contact the Gateway. SSL authentication is
supported and would be appropriate to ensure that the Host is connecting to the
right Gateway. The Host will validate the Gateway Server certificate before
accepting the connection, ensuring that the Host is communicating with the correct
Gateway Server.
In summary, SSL can be used by the Master to authenticate a Gateway, and by a Host to
authenticate a Gateway when the Host is outside the domain:
25
PC-Duo Gateway Server Guide
Connection
Client
Server
SSL
Supported
Peer-to-peer
Master
Host
No
Gateway-managed (Master & Host are in same domain)
Master-Gateway relationship
Master
Gateway
Yes
Gateway-Host relationship
Gateway
Host
No
Gateway-managed (Master & Host are not in same domain)
Master-Gateway relationship
Master
Gateway
Yes
Gateway-Host relationship
Host
Gateway
Yes
Authorization
One of the strongest features of PC-Duo remote support solutions is the fine-grained
access control. For example, to perform remote support, you must have the following:
Proper credentials with which to connect to the Host computer
Authorization to view the Host computer remotely
Authorization to control the Host computer remotely
Your credentials are established when you connect to a Host computer (or to a PC-Duo
Gateway), and persist until the connection breaks. You can configure access and other
rights directly on the Host computer for peer-to-peer connections. Alternatively, you can
use the PC-Duo Gateway to enforce custom access rights policies on PC-Duo Master
users, roles, or groups for Gateway-managed connections.
Auditing
PC-Duo Gateway provides a detailed log of connection attempts, actions and other
activities that occur in the network. This log is also customizable and exportable to 3rd
party reporting products using standard formats.
PC-Duo Gateway also features screen recording for any Host in contact with a Gateway,
whether or not there is an active remote support connection. With this feature, PC-Duo
Master users can keep a visual log of activities going on in the network.
Encryption
To ensure privacy of communications between PC-Duo applications across the network,
PC-Duo provides advanced encryption using Advanced Encryption Standard (AES) block
ciphers and Secure Hashing Algorithm (SHA-1). This protection will be automatic and
26
PC-Duo Overview
transparent every time two PC-Duo 5.20 components or later are communicating with
each other.
By default, PC-Duo Express and PC-Duo Enterprise uses AES 256-bit encryption,
however other encryption options can be set, including:
AES encryption (256-bit key) with SHA1 hash
AES encryption (192-bit key) with SHA1 hash
AES encryption (128-bit key) with SHA1 hash
Triple-DES (3DES) encryption (192-bit key) with SHA1 hash
RC4-compatible encryption (128-bit key) with MD5 hash
NOTE: PC-Duo 5.10 applications and older support only RC4 encryption; thus, this would be the
encrpytion option negotiated between a PC-Duo 5.20 or later application (e.g. PC-Duo Master)
and PC-Duo 5.10 application (e.g. PC-Duo Host).
Order of precedence
When two PC-Duo components have different encryption options set, the first encryption
choice in common between the two is used (going down the list in order), with preference
set as follows:
Preference set by the Host, when the Gateway requests connection to the Host
Preference set by the Gateway, when the Master requests connection to a Host
through the Gateway
27
PC-Duo Gateway Server Guide
PC-Duo networking features
PC-Duo remote desktop solutions support several standard transport protocols for
computer-to-computer communication, and two types of network addressing schemas.
Network protocols
PC-Duo products support most of the standard networking and transport protocols,
including:
IP: IP is a general-purpose protocol supported on a wide variety of networks and
servers. PC-Duo components support communications using either the TCP or UDP
transport protocols running over IP. PC-Duo has established the following standard ports
for use with either TCP or UDP:
PC-Duo Host listens on port 1505 by default
PC-Duo Gateway listens on port 2303 by default
IPX: IPX provides access to Novell NetWare servers. PC-Duo components support
communications using this protocol.
SSL: The SSL protocol runs above TCP/IP and below higher-level protocols such as
HTTP or IMAP. Using TCP/IP on behalf of the higher-level protocols allows an SSLenabled server to authenticate itself to an SSL-enabled client, and then establish an
encrypted connection between the remote computers.
By default, PC-Duo Gateway listens for incoming SSL connections on port 443,
but it might be appropriate to note that this can be easily changed to avoid conflicts
with other server software installed on the same machine.
The PC-Duo Gateway now ships with a Gateway Certificate Manager to manage
the creation and/or selection of a SSL security certificate for the PC-Duo Gateway.
Network addressing schemas
The PC-Duo UDP, TCP and SSL transport protocols support the use of either IPv4 (32bit) or IPv6 (128-bit) addresses.
28
PC-Duo Overview
PC-Duo documentation and technical support
Each of the four PC-Duo components has its own guide:
PC-Duo Master Guide
PC-Duo Host Guide
PC-Duo Gateway Server Guide
PC-Duo Web Console Operating Guide
PC-Duo Web Console Installation Guide
PC-Duo Deployment Tool Guide
For more information about PC-Duo documentation and technical support, see:
"Typographical conventions"
"Technical support options"
Typographical conventions in documentation
PC-Duo documentation uses typographical conventions to convey different types of
information.
Computer text
Filenames, directory names, account names, IP addresses, URLs, commands, and file
listings appear in a plain fixed-width font:
You can use the default domain user account named ‗RemoteControlGateway‘.
In examples, text that you type literally is shown in a bold font.
To run the installation program, type installme in the command line.
Screen interaction
Text related to the user interface appears in bold sans serif type.
Enter your username in the Login field and click OK.
Menu commands are presented as the name of the menu, followed by the > sign and the
name of the command. If a menu item opens a submenu, the complete menu path is
given.
Choose Edit > Cut.
Choose Edit > Paste As… > Text.
Variable text
Variable text that you must replace with your own information appears in a fixed-width
font in italics. For example, you would enter your name and password in place of
YourName and YourPassword in the following interaction.
29
PC-Duo Gateway Server Guide
Enter your name: YourName
Password: YourPassword
File names and computer text can also be displayed in italics to indicate that you should
replace the values shown with values appropriate for your enterprise.
Key names
Names of keyboard keys appear in SMALL CAPS. When you need to press two or more
keys simultaneously, the key names are joined by a + sign:
Press RETURN.
Press CTRL+ALT+DEL.
Technical support options
If you have any problems installing or using the PC-Duo remote support products,
information and support resources are available to help:
This manual and the Release Notes may contain the information you need to solve
your problem. Please re-read the relevant sections. You may find a solution you
overlooked.
Our technical support staff can be contacted by the following means:
For Americas and Asia/Pacific:
email: support@vector-networks.com
phone: (800) 330-5035
For Europe, Middle East and Africa:
email: support@virtualnetworkpartners.eu
phone: +44 2030040750
We offer a range of support options including support and maintenance contracts, and
time and materials projects. Consult our web site for the support plan that best meets
your needs. Go to http://www.vector-networks.com and navigate to the Support
section of the web site for more information.
30
Loading...