Skip to content

Instantly share code, notes, and snippets.

Last active February 7, 2021 05:01
Show Gist options
  • Save jas-/3ee76618b4f056d1a052 to your computer and use it in GitHub Desktop.
Save jas-/3ee76618b4f056d1a052 to your computer and use it in GitHub Desktop.
Ulteo-OVD implementation guide

Ulteo Remote Application Server

Installation, configuration, patching & troubleshooting guide to the Ulteo-OVD services. Additional details of this software can be found on their website. Here are some useful resources.

  1. Ulteo home -
  2. Ulteo Downloads -
  3. Ulteo OVD source code -
  4. Additional OVD source code access -
  5. Community forums -!forum/ulteo-ovd-community-support

Ulteo OVD 4.0 RC1 Community Edition

Original Guides

All guides can be found @ and are recommended prior to applying the patch associated with this documentation.

Current (2012-08-28)

The current operating environments for the Ulteo-OVD application service details

Overview, Setup & Configuration

This section will provide a general overview of the various components that make up the Ulteo OVD software. The diagram below illustrates how the web client interfaces with the configured application server(s).

Session manager

The Session Manager component handles the Administrative panel which is used to configure the Ulteo software.

It uses the following locations...

  1. /etc/ulteo/sessionmanager - Here you can find the Apache virtual host configuration directives, the default administrative login for the Ulteo admin interface etc.
  2. /usr/share/ulteo/sessionmanager - The web interface for the session manager. This folder contains the administrative interface as well as components the webclient uses for authentication & session management.
  3. /var/log/ulteo/sessionmanager - The logs here are used within the administrative interface and can serve as a good source of troubleshooting

Network ports & services list

Being a complex application there are several TCP/UDP port requirements for remote application usage. The session manager port requirements are as follows:

  1. Apache - TCP ports 80 & 443 (I would recommend disabling port 80 and requiring access through 443)
  2. MySQL - TCP port 3306 (disabling of outside access is fine due to session manager & web client using localhost for access)
  3. LMSocialServer - TCP port 1111 (This port is used for application server status updates and can be limited via local port filters to application servers only)

Configuration settings

The current configuration settings within the Ulteo session manager are as follows:

System settings

  1. System on maintenence mode - no
  2. Administration console language - autodetect
  3. Debug option list - info, warning, error & critical
  4. Cache logs update every - 30 seconds
  5. Cache logs expiry time - a day
  6. Default user group - ???
  7. Domain integration - internal
  8. Maximum items per page - 100
  9. Maximum number of running sessions - 0
  10. Modules activation - ApplicationDB, ApplicationsGroupDB, AuthMethod, ProfileDB, SessionManagement, SharedFolderDB, UserDB, UserGroupDB, UserGroupDBDynamic

Server settings

  1. Disable reverse FQDN checking - yes
  2. Action when a server status is not ready anymore - switch to maintenence
  3. Auto-recover server - yes
  4. Remove orphan applications when the application server is deleted - yes
  5. Auto register new servers - yes
  6. Auto switch new servers to production mode - yes
  7. When an Application Server have reached its "max sessions" limit, disable session launch on it ? - yes

Domain integration settings

  1. Internal database profiles - internal

Authentication settings

  1. AuthMethod - CAS
  2. CAS Server URL -

Session settings

  1. Default mode for session - applications
  2. Default language for session - english
  3. Default timeout for session - 1 day
  4. User can launch a session even if some of his published applications are not available - yes
  5. User can use a console in the session - no
  6. Multimedia - yes
  7. Redirect client drives - full
  8. Redirect client printers - yes
  9. RDP bpp - 16
  10. Enhance user experience - yes
  11. Enable user profiles - yes
  12. Auto-create user profiles when non-existant - yes
  13. Launch a session without a valid profile - yes
  14. Enable shared folders - yes
  15. Launch a session even when a shared folder's fileserver is missing - yes
  16. Forceable paramaters by users - none
  17. Enable Remote Desktop - yes
  18. Sessions are persistent - yes
  19. Show icons on user desktop - yes
  20. Allow external applications in Desktop - yes
  21. Desktop type - any
  22. Servers which are allowed to start desktop - empty
  23. Enable Remote Applications - yes

Events settings

  1. Email address to send alerts to - User definable
  2. Server status changed - checked
  3. Session startup - checked
  4. SQL failure - checked

Web interface settings

  1. Display users list - no
  2. Public Webservices access - yes


Because we are using the CAS (common authentication service) a dynamic group must be configured to handle users coming from this service.

In order for this dynamic group configuration you must first enable the 'DynamicGroupDB' module. You can do this by this series of clicks...

  1. Login to the administration area
  2. Select Configuration
  3. System Settings
  4. Modules Activation
    1. Check 'DynamicGroupDB' option
  5. [In version 4 RC2, creation of this group must be done by manually adding an entry to the ulteo_usergroup_dynamic table. published 1 validation_type 1]
  6. Also, for ulteo_usergroup_rules:
  7. | id | attribute | type | value | usergroup_id |
  8. | 1 | login | startswith | u | dynamic_1 |
  9. | 2 | login | startswith | gp | dynamic_1 |
  10. | 3 | login | equal | gx | dynamic_1 |
  11. Save

Now that the required module is enabled follow this series of clicks to create a dynamic group...

  1. Users
  2. Users Groups
    1. Create new group
    2. Dynamic
    3. Enter a unique name
    4. Add a unique description
    5. Cached # no
    6. Validation type # "at least one"
    7. Login stats with # "u"
  3. Save


In order for any of our CAS authenticated users (members of our new dynamic group) to use any of the applications the Ulteo software provides you must first create a list of published applications. The following series of clicks will do this.

  1. Publication Wizard
  2. Use usergroups
  3. Select dynamic group you just created
  4. Next
  5. Create group with applications
  6. Select any/all applications you wish to provide to this dynamic group
  7. Next
  8. Enter unique name
  9. Enter unique description
  10. Next
  11. Confirm

Web client component

The web client component is the access point that clients wishing to launch virtualized/remote applications will use. This component relies upon java applets once authentication has occured to load the requested piece of software. It can be found in /usr/share/ulteo/webclient.

It uses the following locations...

  1. /etc/ulteo/webclient - The primary configuration for the webclient can be found here.
  2. /usr/share/ulteo/webclient - The webclient application including the Java applets, ajaxplorer etc can be found in this location.

Current configuration changes

Default to portal or application mode

Force portal mode for clients edit /etc/ulteo/webclient/


define('OPTION_FORCE_SESSION_MODE', 'applications');

Force the default session manager URI

You may wish to force the default session manager URL edit /etc/ulteo/webclient/

Uncomment & edit:

define('SESSIONMANAGER_HOST', '[FQDN of session manager]');

Application server(s)


The linux application server is used to provide the file system interface and mapping to local shares for the remote authenticated user. Below are details of the installed environement.

Network ports & services list

The linux application server & filesystem uses several processes to make up the whole. Included in the ulteo-ovd-subsystem processes are the following:


  1. Apache - The apache webserver using TCP port 1113 (This port only needs to be accessible to & from the session manager)
  2. Python - A customized python client socket is open on TCP port 1112 (This port also only needs to be accessible to & from the session manager)
  3. NetBIOS - The netbios service initialized from the Samba service using TCP port 139 (This port is required for the file service for remote authenticated users)
  4. Xvnc - The Xvnc service listening on TCP port 5910 (This also needs to be accessable for remote authenticated users)
  5. Xrdp - The Xrdp service listening on TCP 3350 (This is only bound to the local loop back adapter or localhost address and does NOT need to be publicly accessible for remote authenticated users)
  6. Cups - The cupsd service listening on TCP port 631 (This also is only bound to the local loop back adapter or localhost and does NOT need to be publicly accessible for remote authenticated users)
  7. Samba - The SMB service is bound to TCP port 445 (This port only needs to be accessible from the configured application servers)
  8. RDP - The RDP (Remote Desktop Protocol) is bound to TCP port 3389 (This needs to be accessible from remote authenticated users)

Service details

Here are the details of the various files installed with the Ulteo-OVD subsystem (filesystem & application server) on a linux host.

  1. /etc/ulteo - The configuration file location for the Ulteo-OVD subsystem
  2. /var/log/ulteo - The log files for the Ulteo-OVD subsystem application server
  3. /opt/ulteo - The chroot environment used for the file system services as well as the application services


The windows application server is used by remote authenticated users to launch applications.

Network ports & services list

Being a complex application there are several TCP/UDP port requirements for remote application usage. The applicaiton port requirements are as follows:


  1. epmap - TCP port 135 (This should only need to be accessible from the configured application servers)
  2. microsoft-ds - TCP port 445 (This should also only need to be accessible from the configured application servers)
  3. Python - TCP port 1112 (Also only needs to be accessible from the configured application servers)
  4. RDP - TCP port 3389 (This needs to be accessible from any authenticated user)


  1. microsoft-ds - UDP port 445 (Accessible from configured application servers)
  2. isakmp - UDP port 500 (Also only accessible from the configured application servers
  3. ipsec-msft - UDP port 4500 (Also only accessible from the configured application servers
  4. netbios-ns - UDP port 137 (Accessible from configured application servers
  5. netbios-dgm - UDP port 138 (Also accessible from configured application servers

Patching (to provide CAS authentication)

As of this writing (2012-08) CAS authentication for the Ulteo-OVD software is broken. The phpCAS::Client performs a redirect to the CAS authentication service when no ST or PG ticket exists on the client. However due to the authentication form posting credentials to the sessionmanager which then generates an XML formatted query prior to performing this redirection header information does not work properly.

The steps following will upgrade the current phpCAS module and implement the proper redirection based on the Ulteo-OVD CAS enabled options within the Ulteo-OVD admin interface.

Latest patch

Here is the latest [ patch] which will update the phpCAS client included with the latest version of the Ulteo Session Manager. Please note that you must have the 'DynamicGroupDB' module enabled and also have defined a group using the DynamicGroupDB module as listed above for the Session Manager configuration section.

%> wget

Make backup

You should first make a backup of the /usr/share/ulteo folder. This folder contains the session manager and the web client (if installed on the same web server).

%> cd /usr/share && tar zcvf ~/ulteo-backup.tgz ulteo/

Apply patch

In order to apply the patch to the latest Ulteo installation (v3.x) you must first remove the outdated phpCAS installation. This is why the backup in the previous step is crucial should something go wrong. To do this issue the following command.

%> rm -frv /usr/share/ulteo/sessionmanager/PEAR/CAS*

Next simply apply the patch using the following command.

%> cd /usr/share && patch -p0 < ~/2012-08-24.patch


Here are some general troubleshooting guidelines to the various components that make up the Ulteo-OVD service.

Session manager

Server status

Occasionally an application server status will be in a 'broken' state. Generally this refers to the application server process is no longer sending status updates to the session manager.

When this type of proplem occurs a restart of the Ulteo-OVD application service must be restarted.

Broken windows application server

Here are some common problems encountered when using the Ulteo-OVD application server (v3.0.2) in a Windows 2003 server environement.

Not listed in session manager

If the Windows application server is not registering within the Ulteo-OVD session manager there are a couple of DNS errors that could be the cause of the problem.

  1. FQDN of session manager - During the installation process you were prompted to enter a session manager hostname, if an IP address was entered you may experience problems with the application server not registering with the session manager
  2. DNS A record - If the DNS A record of the session manager OR the application server is incorrect you may experience problems with the application server registering with the session manager

In order to resolve these problems the following solutions may be applied.

  1. Use FQDN - Use of a FQDN (Fully Qualified Domain Name) during the installation is highly recommended.
  2. Static host entry - Although not recommended a static route can be added to the "C:\Windows\System32\drivers\etc\hosts" file and would look like this example.    localhost    hostname.of.session.manager    hostname
  3. DNS A record - The addition or modification of the DNS A record corresponding to your session manager hostname

Exceptional condition

Windows 2003 server error logs when handling exceptional conditions may return errors similar to the following in the event viewer. The error listed below is due to a problem with the XML formatted response from the session manager when recieving a status request. This error could be an indication of a man in the middle attack scenario because the application server is expecting an XML formatted query from the session manager.

The instance's SvcRun() method failed 
Traceback (most recent call last):
  File "win32serviceutil.pyc", line 806, in SvcRun
  File "OVDWin32Service.pyc", line 95, in SvcDoRun
  File "ovd\SlaveServer.pyc", line 167, in loop_procedure
  File "ovd\SMRequestManager.pyc", line 169, in send_server_monitoring
  File "ovd\SMRequestManager.pyc", line 69, in get_response_xml
IOError: (9, 'Bad file descriptor') 
%2: %3

The above error is caused by the following query from the session manager.

[608] content type: text/html

And usually results in errors similar to the following:

Windows saved user ULTEO-WIN2K3\OVDAdmin registry while an application or service was still using the registry during log off. The memory used
by the user's registry has not been freed. The registry will be unloaded when it is no longer in use. 

 This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Although this scenario is rare, mitigation of this problem in the future is to modify the Ulteo-OVD application server to use a LocalServer or NetworkService account as stated in the error. This is possible by using the 'services' administrative panel to modify the running user account. However, due to problems with the system account used to run the service errors in creating profiles and mapping SID to the user accounts will fail due to privilege errors because the specified account must be able to create users & their associated profiles.

As of this writing (2012-08-27) the ulteo service must be run as the 'OVDAdmin' user account (default user created during installation of the OVD Application server).

To resolve this communication error between the Ulteo Application server and session manager the service must be stopped and restarted. You can use taskmanager or the administrative services managmement console to do this.

Broken linux application server

A linux application server serves dual roles. It first provides linux applications and it also provides file system drive & printer mapping to authenticated clients.

  1. Offline - If the application & file server is not available using the Ulteo-OVD administrative interface the ulteo-ovd-subsystem must be restarted.
  2. No file browser - If an authenticated user connects to the service and does not see a file browser it is due to the Ulteo-OVD SMBD service being down or that no Linux application & file server has been registered.
  3. Cannot save to desktop - If an authenticated user cannot save to their desktop it is because their current OS username does not match the authenticated username provided to the Ulteo-OVD service or the necessary samba file service to WebDAV folder mapping did not take place

In most situations these problems can be resovled by simply restarting the Ulteo-OVD-subsystem (from a command line)

%> sudo -c '/etc/init.d/ulteo-ovd-subsystem restart'

Broken Windows application server

A windows application server provides remote application to authenticated clients using terminal services connections.

  1. Offline - If the windows application service is shown as broken or offline using the Ulteo-OVD sessionmanager administrative interface, or clients are not able to access windows applications, the Ulteo-OVD-slaveservice may need to be restarted. Use the Administrative Tools -> Services MMC snap-in to stop and restart the service. If the service cannot be restarted use the Task Manager to stop any OVD services and restart.
  2. Non-responsive - I have also witnessed situations where many of the child processes which the UlteoOVDSlaveServer.exe initializes upon session start become orphaned thereby consuming memory and critical system resources eventually leading to a crash or non-responsive service. This can be verified on the application server by examining the contents of the taskmanager.exe. Stopping all orphaned processes and restarting the ulteo service resolves the problem in 90% of occurrences. Occasionally you must restart the application server to resolve the problem however.

Client authentication errors

There exists a couple of conditions in regards to authentication. Below are details of these:

  1. Session exists - This condition presents itself when an authenticated session exists within the Ulteo-OVD session manager. When a client selects 'logoff' within the SessionManager interface this 'session destroy' command must replicate to the configured application servers. Occasionally the redirection from the CAS authentication service occurs faster than this replication process. To remedy simply allow a few minutes to pass before refreshing the Ulteo-OVD session manager page.
  2. Unknown error - This error (9-10) times is also a general error which occurs when a redirection to or from the CAS authentication service transpires faster then the session destroy replication from the Ulteo-OVD session manager to the configured application servers. If waiting a few minutes does not resolve the problem then an administrative user must manually destroy the users session.
  3. Session ended unexpectedly - This error has been experienced upon restoration of the Ulteo-OVD application & session manager from backup. Upon further examination of the configured application servers (which were destroying the session locally, thus forcing replication to the session manager and other application server) were not able to properly obtain the SID information for the authenticated user. A synchronization problem exists when profiles & user accounts exist within the application servers if a virtual machine was restored from backup. To resolve this problem use the Ulteo-OVD administrative interface to manually destroy the session as well as the associated user profile information.

Additional recommendations (hardening the service)

Because of the many components this is broken into sections each component such as the session manager or application server is broken down into the core services each provide.

Session manager

Here are some additional configuration options you may apply to the default session manager installation.

Web server

  1. Use of ACL's (Session manager administrative control panel) - The use of an allowed/deny list should be used within the /etc/ulteo/sessionmanager/apache2-admin.conf to limit administrative access. An example follows:
    Alias /ovd/admin /usr/share/ulteo/sessionmanager/admin
    <Directory /usr/share/ulteo/sessionmanager/admin>
        Options FollowSymLinks
        AllowOverride None
        Order allow,deny
        allow from
        allow from
        deny from all
        DirectoryIndex index.php
        php_admin_flag magic_quotes_gpc Off
  2. Use of ACL's (Session manager application server monitoring component) - Additionally the use of ACL's for the webservices component to limit connections from anywhere other than valid application servers can be used. To do this you must modify the /etc/ulteo/sessionmanager/apache2-vhost-server.conf. Here is an example:
    NameVirtualHost *:1111
    Listen 1111
    <VirtualHost *:1111>
            RewriteEngine on
            RewriteCond %{REQUEST_URI} ^/(.+)/(.+)$
            RewriteRule . /%1_%2.php [L]
            DocumentRoot /usr/share/ulteo/sessionmanager/webservices
            <Directory /usr/share/ulteo/sessionmanager/webservices>
                    Order deny,allow
                    deny from all
                    allow from #Linux application/file server
                    allow from #Windows application server
                    allow from #Or if you use an entire subnet for your application servers

    Keep in mind this modification should take place anytime a new linux or windows application server is added to the Ulteo-OVD service.

  3. SSL certificate - The default installation uses a self-signed certificate which should be replaced with a valid signed certificate based on the hostname used for the Ulteo DNS A record. Once a certificate has been signed modify the /etc/ulteo/sessionmanager/apache2-vhost-ssl.conf to reflect this change. An example follows:
    SSLEngine on
    SSLCertificateFile /path/to/valid/signed/certificate.cer
    SSLCertificateKeyFile /path/to/valid/private/key/used/for/certificate/generation.key

    And here is how to create the certificate request from a certificate authority:

    %> openssl genrsa -des3 -out server.key 1024
    %> openssl req -new -key server.key -out server.csr

    Then send the server.csr to the certificate authority for signing.

  4. Force SSL - By default Apache will bind to port 80, because authentication is involved it is wise to force redirects to the SSL/TLS protocol on port 443. To do this we will add a simple redirect to the '/etc/apache2/sites-available/default' virtual host declaration like so:
    RewriteEngine on
    ReWriteCond %{SERVER_PORT} !^443$
    RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [NC,R,L]


  1. MySQL user - The default installation does not create and associate a user which can be used to access the MySQL database. This is strongly recommended and can be done with the examples show below:
    %> mysql -u root -p -e 'CREATE USER "[dbUser]"@"localhost" IDENTIFIED BY "[dbPassword]"'
    %> mysql -u root -p -e 'FLUSH PRIVILEGES'

    Once you have created the user account, assigned a password, issued permissions & flushed the privilege table log into the session manager using the default administrative account, browse to configuration -> database settings and update the fields to reflect your new account. In order to prevent errors during initial configuration you should use the root MySQL user account and configuration the administrative section of the Ulteo-OVD session manager.


The PHP interpeter can also be hardened with the assistance of the suhosin patch. To install simple run the following as a root user:

%> apt-get install php5-suhosin

Once it is installed it is wise to configure it. Below are some options to harden this feature providing the maximum protection for the PHP interpreter.

  1. Executor options - The suhosin patch can be used to prevent things such as directory traversals, stack execution depths and white/black listing of specific PHP functions. Below are the 'minimum' options to be configured for this section.
    suhosin.executor.max_depth # 50
    suhosin.executor.include.max_traversal # 5
    suhosin.executor.disable_eval # on

    I also highly recommend disabling the /e modifier available within the PCRE (perl compatible regular expression library) as they contain remote execute of scripts. However, this option requires modification of the PHP source code within the Ulteo-OVD software to remove all instances of the /e modifier used in the preg_match() function.

    suhosin.executor.disable_emodifier # on
  2. Misc options - Apache may cause segfaults due to the APC functionality reserving resources which the suhosin patch may request. If your apache installation is causing segfaults you may wish to enable the APC workaround like so:
    suhosin.apc_bug_workaround # on
  3. Transparent encryption options - Additionally transparent encryption of PHP server side session's & the client side cookie is recommended. Below are examples:
    suhosin.session.encrypt # on
    suhosin.cookie.encrypt # on

    Initial testing on enabling this feature has returned errors with the current WebDAV filesystem implementation. A feature request will be issued to the current developers.

Linux Application Server

The linux application server provides several services which you may additionally configure using the recommendations below.


Additional configuration settings for the Samba file server service (within the chroot environment) may be used. Below are some guides:

  1. File types - Disabling specific file types using the 'veto files' configuration directive in the '/opt/ulteo/etc/samba/smb.conf' can be used like so (this example disables most common script types & executables):
    veto files /$RECYCLE.BIN/*.cpp/*.exe/*.sh/*.php/*.pl/*.bat/
  2. System accounts - Additionally preventing system account access can also be utilized like so:
    invalid users # daemon, bin, sys, sync, games, man, lp, mail
  3. Security mode - Currently the samba fileserver mode is set to 'share' which only requires a password be provided when mapping a share. According to documentation regarding security hardning of a Samba fileserver this is strongly discouraged. A stricter security mode should be set such as 'user' as in this example:
    security # user

    This configuration does result the client no longer being able to save files directly to their own machine. A feature request will be sent to the current Ulteo-OVD maintainers regarding this.

  4. Interface security - Force bind mode to only allowed interfaces as well as force socket connection mode. Example:
    interfaces eth0
    bind interfaces only yes
    socket options TCP_NODELAY


Additional configuration settings may also be applied to the Apache web server service (also located within the chroot environment). Below are some recommendations:

  1. Hosts - The apache webserver can be hardened by restricting access through the use of the 'hosts allow' directive limiting access only to the currently configured session manager when sending requests. Keep in mind if you decide to enable this only the clients added to this whitelist would be able to access the mapped WebDAV fileshare. Here is an example configuration for the '/opt/ulteo/usr/share/ulteo/ovd/slaveserver.conf':
    NameVirtualHost *:1113
    Listen 1113
    <VirtualHost *:1113>
            DAVMinTimeout 600
            DAVDepthInfinity On
            Alias /ovd/fs /var/lib/ulteo/ovd/slaveserver/fs
            <Directory /var/lib/ulteo/ovd/slaveserver/fs>
                    DAV on
                    AuthNAme "WebDAV Storage"
                    AuthType Basic
                    AuthUserFile /var/spool/ulteo/ovd/fs.dav.passwd
                    Require valid-user
                    AllowOverride AuthConfig Limit
                    Order allow,deny
                    allow from
                    allow from
                    deny from all

    This whitelisting feature might be beneficial to include within the administrative interface so a feature request will be filed with the Ulteo-OVD maintainers.

  2. SSL/TLS - Additionally the use of SSL/TLS protocols should be enabled to prevent unauthorized monitoring of communications between the session manager & application servers. Not enabling this functionality could lead to a man in the middle scenario allowing impersonations or unauthorized requests made to the application server forcing session destroy, or other commands. Adding a signed SSL/TLS certificate to the vhost configuration will enable this functionality.
    SSLEngine on
    SSLCertificateFile /path/to/valid/signed/certificate.cer
    SSLCertificateKeyFile /path/to/valid/private/key/used/for/certificate/generation.key

    And here is how to create the certificate request from a certificate authority:

    %> openssl genrsa -des3 -out server.key 1024
    %> openssl req -new -key server.key -out server.csr

    Then send the server.csr to the certificate authority for signing.

cups Service

  1. Use of ACL's -The cups printing service may also be hardened with the use of access control lists. Much like ACL's in the Apache webservice limiting access to the cups service by allowed remote clients will aid in preventing unauthorized use. Below is an example configuration:
    # Restrict access to the server...
    <Location />
      Order allow,deny
      allow from #Individual machine allowed access to the cups printing service
      allow from #Entire subnet of allowed machines to the cups printing service
      deny from all

    As with many of the other services the Ulteo-OVD service implements the administration of these whitelists would prove beneficial if available through the current administrative interface.

Windows Application Server

The Windows Ulteo-OVD application server can also be further restricted, below are some available options for hardning the application server service on Windows (This guide was developed using Windows Server 2003).

  1. Terminal services - Terminal services should the following options enabled. You can modify these settings using the Administrative Tools -> Terminal Services Configuration MMC snap-in.
    1. Delete temporary folders on exit # Yes
    2. Use temporary folders per session # Yes
    3. Active Desktop # Disable
    4. Permission Compatibility # Full Security
    5. Restrict each user to one session # Yes
  2. Windows firewall - Limiting access to the services required by the Ulteo-OVD application server to a whitelist of allowed machines will help prevent unauthorized access. Configuration can modified using Control Panel -> Windows Firewall. Below are the recommended settings:
    1. OVDWin[arch]Service.exe - Edit the scope for this service to either use a custom list of allowed machines or restrict to the current subnet of the server
  3. ulteo-ovd-slaveservice - You can also edit the scope for this server to use a custom list of allowed machines or restrict to the current subnet of the server
  4. Remote Desktop - This windows server can also be filtered by restricting access to a whitelist of allowed machines or the current subnet of the server.
  5. Applications - Even when forcing the mode to application vs. desktop certain applications (such as Internet Explorer) when launched will load a full desktop for the user allowing for launching of unauthorized applications. Additional security measures can be applied in the form of a desktop security policy or by using Domain Group Policy objects when application servers are a member of such a topology. This will greatly restrict information leaks such as review of current local security policy(s).

Usage statistics

The Ulteo graphing system is lacking. Use the following for more information:

How to

%> mysql -u root -p -e 'use ovd; CALL UlteoStatistics()'


A sample output of statistics:

| total_sessions | unique_sessions | average_session |
|           1228 |             192 | 01:30:31        |
1 row in set (0.27 sec)

| user     | total_session_time |
| u0368839 | 04:00:43           |
| u0443761 | 03:11:41           |
| u0519980 | 00:10:49           |
| u0002727 | 00:10:39           |
| u0201598 | 03:28:08           |
| u0531567 | 00:19:49           |
| u0109301 | 00:10:48           |
| u0076374 | 00:15:37           |
| u0002063 | 00:04:31           |
| u0738045 | 00:15:04           |
| u0644364 | 00:44:52           |
| u0783746 | 00:04:34           |
| u0736485 | 00:10:53           |
| u0083707 | 00:09:52           |
| u0833911 | 00:47:32           |
| u0792022 | 00:43:43           |
| u0204646 | 01:00:19           |
| u0708304 | 01:57:58           |
| u0373118 | 00:16:20           |
| u0606723 | 00:10:51           |
| u0778036 | 02:33:01           |
| u0822975 | 04:38:05           |
| u0806602 | 01:17:30           |
| u0818635 | 01:15:53           |
| u0821012 | 00:56:31           |
| u0343164 | 00:04:41           |
| u0734645 | 01:57:00           |
| u0441973 | 00:49:03           |
| u0629997 | 00:27:15           |
| u0512515 | 01:51:55           |
| u0692967 | 06:39:33           |
| u0475478 | 00:14:40           |
| u0669108 | 00:03:28           |
| u0313033 | 00:28:33           |
| u0745796 | 01:24:08           |
| u0746109 | 01:00:34           |
| u0532799 | 03:06:37           |
| u0624747 | 00:08:56           |
| u0706728 | 00:07:42           |
| u0731353 | 00:10:09           |
| u0632744 | 01:29:45           |
| u0173913 | 01:24:07           |
| u0625540 | 01:33:44           |
| u0773457 | 00:28:33           |
| u0118794 | 00:21:26           |
| u0702728 | 00:00:44           |
| u0030918 | 00:24:30           |
| u0064349 | 02:12:16           |
| u0532805 | 00:00:45           |
| u0789117 | 02:22:40           |
| u0854879 | 00:01:50           |
| u0733760 | 02:29:11           |
| u0754931 | 00:12:46           |
| u0741080 | 00:10:53           |
| u0686002 | 00:38:43           |
| u0546149 | 02:01:33           |
| u0757393 | 01:36:27           |
| u0498238 | 05:43:30           |
| u0789120 | 00:29:28           |
| u0545206 | 00:00:39           |
| u0678546 | 05:43:22           |
| u0270784 | 03:20:12           |
| u0748365 | 01:47:13           |
| u0826476 | 07:55:34           |
| u0536523 | 02:07:26           |
| u0567198 | 08:43:03           |
| u0060773 | 16:12:58           |
| u0454832 | 00:10:39           |
| u0820018 | 00:17:08           |
| u0155731 | 00:50:30           |
| u0535068 | 02:09:00           |
| u0248886 | 01:23:36           |
| u0540656 | 01:45:41           |
| u0544678 | 02:01:30           |
| u0672216 | 02:54:27           |
| u0545115 | 00:11:34           |
| u0166092 | 01:11:20           |
| u0549985 | 04:43:18           |
| u0173800 | 00:54:15           |
| u0640744 | 00:13:51           |
| u0415209 | 01:42:24           |
| u0614516 | 00:16:21           |
| u0817168 | 05:18:14           |
| u0549644 | 00:17:59           |
| u0687118 | 04:36:32           |
| u0597728 | 02:09:00           |
| u0493884 | 02:13:58           |
| u0595081 | 00:05:39           |
| u0565447 | 00:39:32           |
| u0225212 | 01:17:08           |
| u0713708 | 01:00:15           |
| u0820752 | 02:03:40           |
| u0635246 | 01:26:38           |
| u0008846 | 01:00:11           |
| u0465391 | 01:38:42           |
| u0531664 | 08:33:03           |
| u0669900 | 01:28:45           |
| u0799203 | 00:05:43           |
| u0576021 | 00:47:49           |
| u0345651 | 00:25:14           |
| u0738543 | 00:27:45           |
| u0766570 | 03:10:26           |
| u0825063 | 00:15:23           |
| u0528430 | 00:21:42           |
| u0328312 | 00:10:23           |
| u0074061 | 08:01:49           |
| u0686906 | 00:10:21           |
| u0234664 | 00:42:23           |
| u0822118 | 00:19:37           |
| u0314760 | 00:01:22           |
| u0746749 | 00:10:31           |
| u0208801 | 00:22:19           |
| u0809134 | 00:00:31           |
| u0542020 | 00:00:20           |
| u0664455 | 00:36:05           |
| u0524231 | 00:10:49           |
| u0595019 | 07:54:59           |
| u0842605 | 00:28:07           |
| u0823153 | 00:01:07           |
| u0617248 | 00:11:00           |
| u0821038 | 01:43:21           |
| u0833323 | 00:11:10           |
| u0666104 | 00:42:55           |
| u0707313 | 17:55:38           |
| u0790485 | 00:25:30           |
| u0848181 | 00:21:21           |
| u0495609 | 00:23:43           |
| u0615486 | 00:00:30           |
| u0102005 | 00:02:18           |
| u0574025 | 01:18:28           |
| u0080920 | 02:13:01           |
| u0661753 | 00:13:20           |
| u0617850 | 00:04:48           |
| u0351555 | 05:00:43           |
| u0823041 | 00:09:54           |
| u0745839 | 00:16:04           |
| u0820613 | 00:20:33           |
| u0390491 | 01:05:18           |
| u0822042 | 01:00:27           |
| u0694496 | 00:10:43           |
| u0634916 | 00:10:46           |
| u0741592 | 00:19:55           |
| u0529609 | 00:11:37           |
| u0825387 | 00:51:53           |
| u0628074 | 00:02:56           |
| u0561678 | 00:23:00           |
| u0682491 | 00:02:00           |
| u0480590 | 01:58:31           |
| u0105540 | 00:00:41           |
| u0245036 | 04:52:29           |
| u0250882 | 00:11:52           |
| u0855519 | 00:21:06           |
| u0711473 | 00:37:12           |
| u0775029 | 15:04:22           |
| u0480765 | 00:10:45           |
| u0698188 | 00:10:16           |
| u0649439 | 00:42:21           |
| u0850882 | 00:10:29           |
| u0826477 | 00:21:05           |
| u0755738 | 00:14:19           |
| u0518593 | 00:01:09           |
| u0871715 | 03:51:40           |
| u0570163 | 00:10:38           |
| u0749641 | 00:03:22           |
| u0216274 | 00:10:39           |
| u0355317 | 03:06:32           |
| u0486496 | 00:06:48           |
| u0619875 | 00:03:39           |
| u0556861 | 00:01:46           |
| u0824176 | 00:43:27           |
| u0678428 | 00:10:37           |
| u0235960 | 06:37:25           |
| u0791861 | 01:10:41           |
| u0827666 | 00:11:56           |
| u0816158 | 00:10:47           |
| u0697901 | 00:16:20           |
| u0541843 | 03:36:52           |
| u0251730 | 00:04:56           |
| u0544763 | 00:21:51           |
| u0696038 | 00:24:21           |
| u0358106 | 00:10:26           |
| u0818438 | 01:08:08           |
| u0241888 | 00:10:54           |
| u0064587 | 02:45:37           |
| u0743801 | 00:11:29           |
| u0780745 | 00:21:06           |
| u0663102 | 00:39:49           |
| u0606438 | 01:27:39           |
| u0704018 | 03:15:46           |
| u0615946 | 00:37:24           |
| u0342942 | 00:01:28           |
| u0734310 | 00:12:07           |

Stored procedure & view re-creation

If you have to re-create it the following will work (here as a backup):

%> mysql -u root -p
mysql> CREATE OR REPLACE VIEW `statistics` AS SELECT `user`, UNIX_TIMESTAMP(`start_stamp`) AS start, UNIX_TIMESTAMP(stop_stamp) AS stop FROM `ulteo_sessions_history`;
mysql> DELIMITER //

CREATE DEFINER='root'@'localhost' PROCEDURE UlteoStatisticsTmp()
 COMMENT 'Creates temporary tables for statistics operations'
 DROP TABLE IF EXISTS `processing`;
  `user` CHAR(32) NOT NULL,
  `time` INT(20) NOT NULL,
  UNIQUE KEY `user` (`user`)

CREATE DEFINER='root'@'localhost' PROCEDURE UlteoStatistics()
 COMMENT 'Retrieves and calculates usage statistics'


 DECLARE ops CURSOR FOR SELECT `user`, `start`, `stop` FROM `statistics`;


 SELECT COUNT(`user`) FROM `statistics` INTO @total_sessions;

 CALL UlteoStatisticsTmp;

 OPEN ops;

 read_loop: LOOP
  FETCH OPS INTO usr, st, stp;

   CLOSE ops;
   LEAVE read_loop;

  SELECT SUM(stp - st) INTO @time;

  SET @sql # CONCAT('INSERT INTO `processing` SELECT "',usr,'" AS user, "',@time,'" AS time ON DUPLICATE KEY UPDATE `time` # `time` + "',@time,'"');
  PREPARE stmt FROM @sql;
  EXECUTE stmt;


 DELETE FROM `processing` WHERE `user` # "u0072039" OR `user` LIKE "test%" OR `user` # "jeff" OR `user` # "u0368839";

 SELECT MIN(start_stamp) FROM `ulteo_sessions_history` INTO @since;
 SELECT COUNT(`user`) FROM `processing` INTO @total_unique_users;
 SELECT SEC_TO_TIME(AVG(`time`)) FROM `processing` INTO @average_session_time;

 SELECT @total_sessions AS total_sessions, @total_unique_users AS unique_sessions, @average_session_time AS average_session, @since AS Since;
 SELECT `user`, SEC_TO_TIME(`time`) AS total_session_time FROM `processing`;


 CLOSE ops;


Session XML example

Once an authenticated session is initialized the following XML example is returned to the client so that the Java applet can initialize connections over RDP to the allowed list of applications and their corresponding server.

<?xml version="1.0" encoding="utf-8"?>
<session id="1346426160ZGL5k" mode="applications" duration="86400">
    <setting name="user_login" value="[USERNAME]"/>
    <setting name="user_displayname" value="[USERNAME]"/>
    <setting name="locale" value="en_GB"/>
    <setting name="timeout" value="86400"/>
    <setting name="multimedia" value="1"/>
    <setting name="redirect_client_drives" value="full"/>
    <setting name="redirect_client_printers" value="1"/>
    <setting name="rdp_bpp" value="16"/>
    <setting name="enhance_user_experience" value="1"/>
    <setting name="timezone" value="US/Mountain"/>
    <setting name="persistent" value="1"/>
    <setting name="desktop_icons" value="1"/>
    <setting name="aps_access_login" value="u1346426160ZLwq4_APS"/>
    <setting name="aps_access_password" value="bhr87VBM"/>
    <setting name="fs_access_login" value="u1346426160RgjDJA_FS"/>
    <setting name="fs_access_password" value="bdr91ZFE"/>
  <user displayName="[USERNAME]"/>
  <profile server="" dir="p_1346425840O3tkA" login="u1346426160RgjDJA_FS" password="bdr91ZFE"/>
  <server type="linux" fqdn="" login="u1346426160ZLwq4_APS" password="bhr87VBM">
    <application id="106" name="Adobe Reader 9">
      <mime type="application/pdf"/>
      <mime type="application/vnd.adobe.pdx"/>
      <mime type="application/vnd.adobe.xdp+xml"/>
      <mime type="application/vnd.adobe.xfdf"/>
      <mime type="application/vnd.fdf"/>
    <application id="108" name="GIMP Image Editor">
      <mime type="application/pdf"/>
      <mime type="application/postscript"/>
      <mime type="image/bmp"/>
      <mime type="image/g3fax"/>
      <mime type="image/gif"/>
      <mime type="image/jpeg"/>
      <mime type="image/pcx"/>
      <mime type="image/png"/>
      <mime type="image/svg+xml"/>
      <mime type="image/tiff"/>
      <mime type="image/x-compressed-xcf"/>
      <mime type="image/x-fits"/>
      <mime type="image/x-icon"/>
      <mime type="image/x-portable-anymap"/>
      <mime type="image/x-portable-bitmap"/>
      <mime type="image/x-portable-graymap"/>
      <mime type="image/x-portable-pixmap"/>
      <mime type="image/x-psd"/>
      <mime type="image/x-sgi"/>
      <mime type="image/x-tga"/>
      <mime type="image/x-wmf"/>
      <mime type="image/x-xbitmap"/>
      <mime type="image/x-xcf"/>
      <mime type="image/x-xpixmap"/>
      <mime type="image/x-xwindowdump"/>
    <application id="111" name=" Database">
      <mime type="application/vnd.oasis.opendocument.database"/>
      <mime type="application/vnd.sun.xml.base"/>
    <application id="109" name=" Drawing">
      <mime type="application/"/>
      <mime type="application/"/>
      <mime type="application/vnd.stardivision.draw"/>
      <mime type="application/vnd.sun.xml.draw"/>
      <mime type="application/vnd.sun.xml.draw.template"/>
    <application id="115" name=" Formula">
      <mime type="application/vnd.oasis.opendocument.formula"/>
      <mime type="application/vnd.oasis.opendocument.formula-template"/>
      <mime type="application/vnd.stardivision.math"/>
      <mime type="application/vnd.sun.xml.math"/>
      <mime type="text/mathml"/>
    <application id="102" name=" Presentation">
      <mime type="application/mspowerpoint"/>
      <mime type="application/"/>
      <mime type="application/"/>
      <mime type="application/"/>
      <mime type="application/"/>
      <mime type="application/vnd.oasis.opendocument.presentation"/>
      <mime type="application/vnd.oasis.opendocument.presentation-template"/>
      <mime type="application/vnd.openxmlformats-officedocument.presentationml.presentation"/>
      <mime type="application/vnd.openxmlformats-officedocument.presentationml.slideshow"/>
      <mime type="application/vnd.openxmlformats-officedocument.presentationml.template"/>
      <mime type="application/vnd.stardivision.impress"/>
      <mime type="application/vnd.sun.xml.impress"/>
      <mime type="application/vnd.sun.xml.impress.template"/>
    <application id="103" name=" Spreadsheet">
      <mime type="application/csv"/>
      <mime type="application/excel"/>
      <mime type="application/msexcel"/>
      <mime type="application/tab-separated-values"/>
      <mime type="application/vnd.lotus-1-2-3"/>
      <mime type="application/"/>
      <mime type="application/"/>
      <mime type="application/"/>
      <mime type="application/"/>
      <mime type="application/vnd.oasis.opendocument.chart"/>
      <mime type="application/vnd.oasis.opendocument.chart-template"/>
      <mime type="application/vnd.oasis.opendocument.spreadsheet"/>
      <mime type="application/vnd.oasis.opendocument.spreadsheet-template"/>
      <mime type="application/vnd.openxmlformats-officedocument.spreadsheetml.sheet"/>
      <mime type="application/vnd.openxmlformats-officedocument.spreadsheetml.template"/>
      <mime type="application/vnd.stardivision.calc"/>
      <mime type="application/vnd.stardivision.chart"/>
      <mime type="application/vnd.sun.xml.calc"/>
      <mime type="application/vnd.sun.xml.calc.template"/>
      <mime type="application/x-123"/>
      <mime type="application/x-dbase"/>
      <mime type="application/x-dbf"/>
      <mime type="application/x-dos_ms_excel"/>
      <mime type="application/x-excel"/>
      <mime type="application/x-ms-excel"/>
      <mime type="application/x-msexcel"/>
      <mime type="application/x-quattropro"/>
      <mime type="text/comma-separated-values"/>
      <mime type="text/csv"/>
      <mime type="text/spreadsheet"/>
      <mime type="text/tab-separated-values"/>
      <mime type="text/x-comma-separated-values"/>
      <mime type="text/x-csv"/>
    <application id="101" name=" Word Processor">
      <mime type="application/msword"/>
      <mime type="application/rtf"/>
      <mime type="application/"/>
      <mime type="application/"/>
      <mime type="application/"/>
      <mime type="application/vnd.oasis.opendocument.text"/>
      <mime type="application/vnd.oasis.opendocument.text-master"/>
      <mime type="application/vnd.oasis.opendocument.text-template"/>
      <mime type="application/vnd.openxmlformats-officedocument.wordprocessingml.document"/>
      <mime type="application/vnd.openxmlformats-officedocument.wordprocessingml.template"/>
      <mime type="application/vnd.stardivision.writer"/>
      <mime type="application/vnd.stardivision.writer-global"/>
      <mime type="application/vnd.sun.xml.writer"/>
      <mime type="application/"/>
      <mime type="application/vnd.sun.xml.writer.template"/>
      <mime type="application/vnd.wordperfect"/>
      <mime type="application/wordperfect"/>
      <mime type="application/x-extension-txt"/>
      <mime type="application/x-t602"/>
      <mime type="text/plain"/>
      <mime type="text/rtf"/>
  <server type="windows" fqdn="" login="u1346426160ZLwq4_APS" password="bhr87VBM">
    <application id="60" name="Adobe After Effects CS5"/>
    <application id="37" name="Adobe Bridge CS5"/>
    <application id="93" name="Adobe Contribute CS5"/>
    <application id="63" name="Adobe Dreamweaver CS5">
      <mime type="application/xml"/>
      <mime type="text/css"/>
      <mime type="text/html"/>
      <mime type="text/plain"/>
      <mime type="text/xml"/>
    <application id="52" name="Adobe Encore CS5"/>
    <application id="43" name="Adobe ExtendScript Toolkit CS5"/>
    <application id="65" name="Adobe Extension Manager CS5"/>
    <application id="68" name="Adobe Fireworks CS5">
      <mime type="image/png"/>
      <mime type="image/x-png"/>
    <application id="79" name="Adobe Flash Builder 4"/>
    <application id="56" name="Adobe Flash Catalyst CS5"/>
    <application id="45" name="Adobe Flash Professional CS5"/>
    <application id="58" name="Adobe Illustrator CS5">
      <mime type="application/msword"/>
      <mime type="application/postscript"/>
      <mime type="application/"/>
      <mime type="application/vnd.openxmlformats-officedocument.wordprocessingml.document"/>
      <mime type="application/xml"/>
      <mime type="image/bmp"/>
      <mime type="image/gif"/>
      <mime type="image/jpeg"/>
      <mime type="image/pjpeg"/>
      <mime type="image/png"/>
      <mime type="image/tiff"/>
      <mime type="image/x-png"/>
      <mime type="text/plain"/>
      <mime type="text/xml"/>
    <application id="50" name="Adobe InDesign CS5"/>
    <application id="92" name="Adobe Media Encoder CS5"/>
    <application id="76" name="Adobe OnLocation CS5"/>
    <application id="96" name="Adobe Photoshop CS5"/>
    <application id="80" name="Adobe Pixel Bender Toolkit 2"/>
    <application id="47" name="Amos 20 Commuter License"/>
    <application id="69" name="Amos Graphics"/>
    <application id="81" name="IBM SPSS Statistics 20"/>
    <application id="84" name="IBM SPSS Statistics 20 Commuter License"/>
    <application id="73" name="Language"/>
    <application id="49" name="Microsoft OneNote 2010">
      <mime type="application/msonenote"/>
    <application id="77" name="Microsoft PowerPoint 2010">
      <mime type="application/"/>
      <mime type="application/"/>
      <mime type="application/"/>
      <mime type="application/"/>
      <mime type="application/"/>
      <mime type="application/"/>
      <mime type="application/"/>
      <mime type="application/"/>
      <mime type="application/vnd.oasis.opendocument.presentation"/>
      <mime type="application/vnd.openxmlformats-officedocument.presentationml.presentation"/>
      <mime type="application/vnd.openxmlformats-officedocument.presentationml.slide"/>
      <mime type="application/vnd.openxmlformats-officedocument.presentationml.slideshow"/>
      <mime type="application/vnd.openxmlformats-officedocument.presentationml.template"/>
      <mime type="application/x-mspowerpoint"/>
      <mime type="application/x-mspowerpoint.12"/>
      <mime type="application/x-mspowerpoint.macroEnabled.12"/>
    <application id="75" name="Microsoft Publisher 2010">
      <mime type="application/"/>
    <application id="38" name="Microsoft SharePoint Workspace 2010"/>
    <application id="54" name="Microsoft Word 2010">
      <mime type="application/msword"/>
      <mime type="application/"/>
      <mime type="application/"/>
      <mime type="application/"/>
      <mime type="application/"/>
      <mime type="application/vnd.oasis.opendocument.text"/>
      <mime type="application/vnd.openxmlformats-officedocument.wordprocessingml.document"/>
      <mime type="application/vnd.openxmlformats-officedocument.wordprocessingml.template"/>
      <mime type="application/xml"/>
      <mime type="text/html"/>
      <mime type="text/xml"/>
    <application id="85" name="Program Editor"/>
    <application id="86" name="Seed Manager"/>
    <application id="66" name="Text Output"/>
    <application id="91" name="User-Defined Estimands"/>
    <application id="87" name="View Data"/>
  <server type="windows" fqdn="" login="u1346426160ZLwq4_APS" password="bhr87VBM">
    <application id="29" name="Gleim CPA Test Prep 2012 Network Edition"/>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment