Secure Global Desktop 4.40 Administration Guide > Applications, Documents, and Application Servers > Configuring Client Drive Mapping

Configuring Client Drive Mapping

Client drive mapping (CDM) allows SGD users to access the drives on their client device from applications running on UNIX, Linux or Microsoft Windows platform application servers.

To enable CDM, you have to perform the following configuration:

1. Configure the application servers for CDM.

   See Configuring UNIX and Linux Platform Application Servers for CDM.

   See Configuring Microsoft Windows Application Servers for CDM.

2. Enable CDM services in SGD.

   See Enabling SGD Client Drive Mapping Services

3. Configure the drives you want users to access from SGD.

   See Configuring the Drives Available to UNIX, Linux and Mac OS X Platform Client Devices.

   See Configuring the Drives Available to Microsoft Windows Client Devices.

Configuring UNIX and Linux Platform Application Servers for CDM

1. Install the Sun Secure Global Desktop Enhancement Module for UNIX(TM) and Linux Platforms.

   The Sun Secure Global Desktop Software Installation Guide has details of how to install the Enhancement Module. The Sun Secure Global Desktop Software Release Notes lists the supported platforms for Enhancement Module.

2. Configure the Network File System (NFS) share (export) to be used for CDM.

   You must have an NFS server installed and running on the application server. The NFS server must share (export) a directory to be used for CDM. By default, the directory is /smb. You have to manually create and export this directory. The share must be accessible to localhost and users must have read and write access to it. Consult your system documentation for details of how to configure an NFS server and export a directory.

   You can specify an alternative NFS share in the client drive mapping configuration file, /opt/tta_tem/etc/client.prf. Edit the [nfsserver/mount/mountpoint={(/smb)}] setting to reflect the name of the share.

3. Start the client drive mapping processes on the application server.

   As superuser (root), use the following command:

   # /opt/tta_tem/bin/tem startcdm

Configuring How Drives Are Displayed

When CDM is enabled, the user's client drives or file systems are available by default in the My SGD drives directory in the user's home directory. The My SGD drives directory is a symbolic link to the NFS share that is used for CDM.

You can configure the name and location of the symbolic link by adding one or more of the following settings to the CDM configuration file, /opt/tta_tem/etc/client.prf:

• [nfsserver/user/symlinkname={(symlink)}]

  The name of the symbolic link. Default: My SGD Drives

  For example, to change the name of the symbolic link to Client Shares, add the following line to the configuration file:
  [nfsserver/user/symlinkname={(Client Shares)}]

• [nfsserver/user/symlinkdir={(dir)}]

  The directory where the symbolic link is created. Default: $HOME

  For example, to create the symbolic link in the /tmp directory, add the following line to the configuration file:
  [nfsserver/user/symlinkdir={(/tmp)}]

  The directory can also be specified using environment variables. The variables you can use are controlled by the nfsserver/user/envvars setting.

  For example, to create the symbolic link in the /tmp/username directory, add the following line to the configuration file:
  [nfsserver/user/symlinkdir={(/tmp/$USER)}]

• [nfsserver/user/envvars={(var)...}]

  The list of environment variables that can be used when specifying the directory where the symbolic link is created. Default: (USER)(HOME)(LOGNAME)

  Enclose each variable in parentheses. Do not include the dollar sign ($) before the variable name.

  The variables in the list replace the default variables.

  For example, to be able to use the HOME, USER, DISPLAY and TMPDIR variables, add the following line to the configuration file:
  [nfsserver/user/envvars={(HOME)(USER)(DISPLAY)(TMPDIR)}]

After making any changes to the CDM configuration file, you must restart the CDM processes on the application server as follows:

1. Log in as superuser (root).
2. Use the following commands:

   # /opt/tta_tem/bin/tem stopcdm
   # /opt/tta_tem/bin/tem startcdm

Configuring Microsoft Windows Application Servers for CDM

1. Install the Sun Secure Global Desktop Enhancement Module for Windows.

   The Sun Secure Global Desktop Software Installation Guide has details of how to install the Enhancement Module. The Sun Secure Global Desktop Software Release Notes lists the supported platforms for Enhancement Module.

2. (Optional) Reconfigure the application server's drives.

   See Remapping or Hiding Microsoft Windows Application Server Drives.

Note CDM is only available for Windows applications that are configured to use the Microsoft RDP Windows Protocol.

Remapping or Hiding Microsoft Windows Application Server Drives

By default, a Microsoft Windows application server's drives are also listed when users access their client drives from a Windows application. If you want users to see familiar drive letters, such as drive A for their client's floppy drive, you can configure the application server to remap its drive letters or hide its drives.

On a Microsoft Windows application server, you can use the Computer Management tools to do the following:

• Disable (remove) drives A and B

  You cannot change the drive letters to use for floppy drives. To allow use of drive letters A and B to access client drives, you must disable the floppy drives on the application server.

• Disable (remove) or remap any CD or DVD drives

  If you disable access to a CD or DVD drive rather than change the drive letter used, you are not able to install software from that drive unless you temporarily enable access again.

• Remap hard drives

  The application server boot volume cannot be remapped.

To ensure consistency for users, remap or disable drives in the same way on all Microsoft Windows application servers used for CDM.

For information on hiding drives so that users can only access a limited set of drives, see the Microsoft article Using Group Policy Objects to Hide Specified Drives in My Computer for Windows 2000 (Q231289)

Enabling SGD Client Drive Mapping Services

If you use another Server Message Block (SMB) server, such as Samba, on the same host as the SGD server, you cannot start CDM services on an SGD host because both services use TCP port 139. To use CDM, you must either disable the other SMB server or configure the host to allow more than one service to use TCP port 139. See Running CDM and Another SMB Service on the Same Host for details.

To enable CDM services:

1. In the SGD Administration Console, click the Global Settings » Client Device tab.
2. Select the Client Drive Mapping check box.
3. (Optional) Select the Windows Internet Naming Service (WINS) check box.

   Enabling WINS can improve CDM performance. Only enable WINS if either of the following is true:

   • Your Microsoft Windows application servers are on the same subnet as an SGD server.
   • Your Microsoft Windows application servers list an SGD server as a WINS server.
4. For Fallback Drive Search, choose a drive letter to Start at and a Direction.

   These settings are used for Microsoft Windows client devices only. If the desired drive letter is already allocated on a Microsoft Windows application server, the first available fallback drive letter is allocated instead. By default, this is drive V, then drive U, then drive T, and so on.

5. Click Save.
6. Either restart all the SGD servers in the array or use the tarantella start cdm command on each SGD server in the array.

After you enable CDM, users must log out and log in again (start a new user session) to be able to access their client drives or file systems.

Running CDM and Another SMB Service on the Same Host

In a default installation, you cannot use CDM and run another SMB service, such as Samba, on the SGD host because they both use TCP port 139.

To allow more than one service to use TCP port 139:

1. Configure the SGD host to have more than one IP address.

   Either install another network interface card (NIC) or using IP aliasing to assign multiple IP addresses to a single NIC.

2. Configure the IP addresses you want an SGD server to bind to for CDM.

   Repeat the following steps on each SGD server that also has an SMB service enabled.

   1. Log in as superuser (root) on the SGD host.
   2. Stop the Secure Global Desktop server.
   3. Run the following command:

      # tarantella config edit --tarantella-config-cdm-externalnbtaddress ip_address ...

      The default setting is * which means bind to all interfaces. Separate each IP address with a space.

   4. Start the Secure Global Desktop server.
3. Configure the other SMB service(s) to bind to a different IP address.

Configuring the Drives Available to UNIX, Linux and Mac OS X Platform Client Devices

By default, users with UNIX, Linux and Mac OS X platform client devices have access to their home directory and this is mapped to a drive called "My Home".

Users can configure which part of their client file system they can access from applications by editing the $HOME/.tarantella/native-cdm-config configuration file. This file is automatically created when the SGD Client is installed. The file contains detailed instructions for users on how to create mapped drives.

The configuration file contains entries with the form <path> <type> <label> where:

• <path> is the absolute path name of the client file system.
• <type> is either unknown, fixed, floppy, cdrom or remote.
• <label> is the name that is used in the application session.

Use a separate line for each drive and separate each of the fields with a space or a tab. If either the <path> or the <label> fields contains spaces or tabs, enclose the field in quotes.

You can use environment variables in the <path> or <label> fields. You delimit these with a dollar sign ($). To use a literal $, escape it with another $.

The following is an example configuration file:

[CDM]
$HOME$ fixed "My Home"
/tmp/$USER$ fixed Temp
"/mnt/win/My Documents" fixed "My Local Documents"
[/CDM]
    

Note Changes to the configuration file only take effect for new user sessions.

Configuring the Drives Available to Microsoft Windows Client Devices

For Microsoft Windows client devices, you configure the drives you want users to access with the Client Drive Mapping attribute on the Client Device tab for user profiles, organizational unit objects and organization objects. CDM uses inheritance. You define access to client drives at an organization level, which you can override at an organizational unit level or user profile level. By default, users have read and write access to all drives.

When a user logs in to an SGD server, information is gathered about the drives on the client device. For each available drive, the Client Drive Mapping attribute on the user profile is checked. If there is no matching client drive configured, the parent organizational unit's Client Drive Mapping attribute is checked, and so on up the organizational hierarchy to the organization object.

If a match is found, then the associated access rights are granted for that drive, using the configured drive letter. If that drive letter is already in use on the application server, the Fallback Drive Search attribute on the Global Settings » Client Device tab in the SGD Administration Console is used to determine the drive letter to use.

At each level you configure a number of drive mapping specifications. Each of these states a client drive letter, the access rights to that drive, and the application server drive letter to allocate. For example, you might specify that a user has read-write access to client drive A using application server drive Z. The first matching entry in the list is used, so make sure the most specific settings (for example, A or B) appear before more general settings (for example, All Drives).

Note Changes to client drive specifications only take effect for new user sessions.

Example

You want to disable access to all client drives for all users and then give only Ruby Port access to her PC's floppy drive.

To disable access to all client drives:

1. In the SGD Administration Console, click the User Profiles tab and select the o=Indigo Insurance object.
2. Click the Client Device tab.
3. In the Client Drive Mapping table, select the check box next to All Drives and click the Edit button.

   The Edit Drive Map window displays.

4. From the Access Rights list, select None.
5. Click OK.

   The Edit Drive Map window closes and the Client Drive Mapping table is updated.

To give Ruby Port access to her PC's floppy drive:

1. In the SGD Administration Console, click the User Profiles tab and select the user profile for Ruby Port's.
2. Click the Client Device tab.
3. In the Client Drive Mapping table, click the New button.

   The Add New Drive Map window displays.

4. From the Client Device Drive list, select A: (the drive letter of Ruby's floppy drive) or R/W Removable (this matches all read-write removable drives, such as floppy drives).
5. From the Access Rights list, select Read/Write.

   This gives Ruby full access to the drive, as long as the floppy disk is not write-protected.

6. From the Application Server Drive Letter list, select Same as Client.

   With this setting, SGD attempts to use the same drive letters on the application server as are used on the client device.

7. Click OK.

   The Add New Drive Map window closes and the Client Drive Mapping table is updated.

Copyright © 1997-2007 Sun Microsystems, Inc. All rights reserved.