Skip to content

Advance Configurations

Enhanced Shell Tracking for Applications in Shell Mode

New session host server supports enhanced tracking of applications running in shell mode. Example of such applications are:

  1. Internet Explorer
  2. Explorer (My PC)
  3. Google Chrome
  4. Batch script driven app launches

Note

The feature is limited to applications delivery in shell mode only and will be controlled by Controller v3.3, but if session host v3.3.0.11119 or greater is being delivered with v3.2 controller, then it must be configured using registries carefully. Please see appendix for detailed information.

Configuration to Run Application with Specific User Credentials

In some deployments, it is required to run application with specific user privileges. From HyWorks v3.3 onwards, administrator will be able to configure to run application as:

  • Logged-in User (Default option)

  • System User

  • Specific User Credentials

Direct RDP/Console Block

In some deployments, direct access (console/RDP) needs to be blocked for the users. From HyWorks v3.3 onwards, access can be blocked via registry entries of Session Host Server machine using following registry keys:

Registry key for Direct RDP Block: (default: false)

HKLM\SOFTWARE\Accops\Controller\EDC\SESSIONHOST\DirectRdpBlocked

Registry key for Direct Console Block: (default: false)

HKLM\SOFTWARE\Accops\Controller\EDC\SESSIONHOST\DirectConsoleBlocked

Registry key for Direct RDP/Console Block Timeout: (default: 15 seconds)

HKLM\SOFTWARE\Accops\Controller\EDC\SESSIONHOST\DirectRdpBlockTimeoutSec

Note that all users with admin privilege are allowed to access.

External log Settings

In some deployments, it is required to monitor user session for audit purpose.From HyWorks v3.3 onwards two types of monitoring are available:

  1. User Session Monitoring
  2. Process Monitoring

Registry Base:

HKLM\SOFTWARE\Accops\Controller\EDC\SESSIONHOST\EXTERNAL LOG SETTINGS

The administrator will be able to configure the session monitoring via updating the registry entries. Details about the registry key values are as follow.

Key Name Default Value Type Value Range
EventType 0 String 0: Disabled
1: User Session Monitoring
2: Process Monitoring
3: Both
LogType 0 String Set as 2 to enable SyLog server logging
IgnoreList C:\Windows\System32* Multi String Processes/folders to be ignored for process tracking
SyslogHost 0.0.0.0 String Syslog server or Accops ARS Server IP address or Hostname
SyslogPort 514 String Syslog server or Accops ARS Server Port number

Network Activity Monitoring on Session Host Servers

Latest session host server (v13063 or later) can track and monitoring all network activities in user session. Session host server can send these activities to configured ARS (Accops Reporting Server) or syslog server for reporting and auditing.

Purpose

Purpose of this feature is to monitor network activities of users from session host server.

Supported Version

  • HyWorks Session Host Server v3.3.0.13063 or later
  • HyWorks Controller v3.3.0.12803(GA)+Hotfix4 or later

How does network activity monitoring work?

Session host server is having driver to capture network activity, the captured network activities are shared by driver with session host server.
Session host server appends some more information to details captured by driver and send it to configured ARS server.

Enable network activity monitoring

Network activity monitoring is currently controlled from registry settings on session host server. Follow below steps to enable:

  1. Login with administrative privileges on session host server
  2. Open registry editor
  3. Go to following registry location
    Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Accops\Controller\EDC\SESSIONHOST\EXTERNAL LOG SETTINGS
    1. Set key "EnableLogShipper" as True
    2. For Event type, set as 3, to monitor user connection events as well as processes being accessed by user. For other options, refer section External Log Settings
    3. Set LogType as 2 for SysLog Server logging
    4. Set Syslog/ARS host address in SyslogHost key.
    5. Set SyslogPort as per configuration, default is 514

  1. Review all configurations and restart the Session host service.
  2. For all new session, network activities will be monitored and sent to configured ARS/Syslog server, with following details:
Attribute Name Meaning
host IP address of host
iptype IPv6 or IPv4
pid Process Id
srchostname Hostname of source server
srcip IP Address of source server
srcport Port number used for network activity
dstip Destination server IP address to which network activity is done
dstport Port number to which network activity is done
domain Domain to which source server is registered
username Username, network activity is done
wtsid Remote desktop session ID
protocol Protocol used for communication 6: TCP, 17: UDP
macaddress MAC Address of endpoint from where user is connected to source remote server
This is controlled from HyWorks Controller, see next sub-section for more details
process Name of process, which is used for network activity
timestamp Time of network activity

Enabling Client Information from Controller

While capturing network activity, the source is always remote desktop server and thus for multiple user initiating different network connections, source information will be same. To have more distinct information, client information (MAC Address) can be added. This information is sent by HyWorks Controller and session host server appends it, before sending it to syslog/ ARS server. This configuration will be available on HyWorks Controller v3.3.0.12803 (GA) + Hotfix4. To enable this configuration, follow below steps:

  1. Login into HyWorks Management Console with administrative privileges
  2. Go to System - Advanced Config
  3. Search and locate setting ShareClientInfo
  4. Set it as True, default value is False.
  5. Now network activity logs will have client MAC address appended.

Note

  • While connecting from HyLite or having direct RDP sessions, the MAC address will not be captured.
  • If source host is having proxy server configured for internet access, all network connection logs will have destination server IP as IP address of configured proxy server.
  • For enabling this feature on Windows 2008R2-SP1, update KB3033929 must be installed.
  • In reconnected sessions, client information of first client will be shown and not of the client from where session is currently reconnected.

Allow calls from authorized controller(s) only

In some deployments, it is required to block unauthorized access to the session host service. From HyWorks v3.3 onwards, administrator will be able to configure block unauthorized access by updating authorized controller IPs list at: (default value: '*')

HKLM\SOFTWARE\Accops\Controller\EDC\SESSIONHOST\AuthorizedControllerIPs

Note

  • Default value is set as '*', which means all controllers are open to connect
  • Replacing '*' with one or more (multi-string) controller IPs results in allowing only those listed controller(s) to communicate with the local Session Host Service
  • In case, if unauthorized controller try to communicate an error log will come into both Session Host and controller logs

Session change event scripts support

In some deployments, it is required to execute some scripts in case of session change events. From HyWorks v3.3 onwards six types of session change event types are supported:

  1. CONNECT
  2. DISCONNECT
  3. LOCK
  4. LOGOUT
  5. RECONNECT
  6. UNLOCK

Registry Base:

HKLM\SOFTWARE\Accops\Controller\EDC\SESSIONHOST\

The administrator will be able to configure the session change event via updating the registry entries. Details about the registry key values are as follow.

Key Name Name Value Type Meaning
EVENTS EnableForAdmins FALSE String Set this flag as True to enable Session Change Events scripts execution for Admin users too.
EVENTS\CONNECT ISENABLED FALSE String Set this flag as True to enable Connect Event script execution.
EVENTS\DISCONNECT ISENABLED FALSE String Set this flag as True to enable Disconnect Event script execution.
EVENTS\LOCK ISENABLED FALSE String Set this flag as True to enable Lock Event script execution.
EVENTS\LOGOUT ISENABLED FALSE String Set this flag as True to enable Logout Event script execution.
EVENTS\RECONNECT ISENABLED FALSE String Set this flag as True to enable Reconnect Event script execution.
EVENTS\UNLOCK ISENABLED FALSE String Set this flag as True to enable Unlock Event script execution.

Accops Session Recording module is driven by these scripts which are having default calls added. The same scripts can be updated for more other custom usage. Scripts root folder:

C:\Program Files (x86)\Accops\HyWorks\SessionHost\scripts\

Script Name Description
Connect_System.bat The script is used execute batch commands in System context while Connect event.
Connect_User.bat The script is used execute batch commands in User context while Connect event.
Disconnect_System.bat The script is used execute batch commands in System context while Disconnect event.
Disconnect_User.bat The script is used execute batch commands in User context while Disconnect event.
Lock_System.bat The script is used execute batch commands in System context while Lock event.
Lock_User.bat The script is used execute batch commands in User context while Lock event.
Logout_System.bat The script is used execute batch commands in System context while Logout event.
Reconnect_System.bat The script is used execute batch commands in System context while Reconnect event.
Reconnect_User.bat The script is used execute batch commands in User context while Reconnect event.
Unlock_System.bat The script is used execute batch commands in System context while Unlock event.
Unlock_User.bat The script is used execute batch commands in User context while Unlock event.

Pre-Post Scripts for AppLauncher (Linux Only)

HyWorks v3.3, now allows Pre & Post batch scripts execution while application/desktop launch which means before launching application or desktop these scripts will get executed as some deployment need per-post cleanups.

The scripts can be updated at (folder):

/etc/edcdvm/linuxDVM/scripts/

Available Scripts names:

  • AppLauncherPostScript.sh
  • AppLauncherPreScript.sh

HyShell

HyShell is desktop customization utility, which comes integrated with HyWorks Session Host Server. The primary objective of HyShell is to publish and manage desktop shortcuts on desktop of user session from session host server. HyShell will only manage those desktop shortcuts which are created by it and not available as public shortcuts installed by administrator.

Purpose

HyShell is required to publish shortcuts of those applications (virtual), which are assigned to the users (which means user is authorized to use them) and need not to see so many shortcuts of those applications which are of no use. For example, a session host server is installed with 50 different applications where as a typical user uses only 5 of them and in this situation showing all 50 will be very confusing for the user, instead user is shown with only those 5 applications which are useful. Similar approach is followed for other users as well and this is what HyShell does with shared hosted desktop.

How does HyShell work?

The functioning of HyShell is simple, when user connects to shared hosted desktop from appropriate endpoint of HyWorks/HyLite, HyShell is invoked. It triggers communication with Controller to get list of applications which are assigned to user and belong to this session host server. Then HyShell creates desktop shortcuts for all applications which are assigned to user and removes any other shortcuts which are not assigned to user.

Session Host Server Components

AppLauncher: It gets called once user logged in via client. AppLauncher will execute HyShell script to customize the desktop. This script can set application access and launch HyShell to create Desktop shortcuts and start menu links.

HyShell: HyShell is running in user context so it will collects user details like user desktop path, user start menu path, user session id (WtsId) etc. After collection this basic information it will call Session Host API which is exposed for HyShell tasks.

SessionHost: Session host expose endpoint for HyShell to accept user related data and executes following tasks.

  1. Run HyShellServerPreScript.ps1 script: This script contains Power Shell code to perform some operation which is required before create desktop shortcuts.

  2. Get Application list and its details from local DB and Controller for specified user.

  3. Try to create desktop icons and start menu links for user applications.

  4. Run HyShellServerPostScript.ps1 script This script contains Power Shell code to perform some operation which is required after creates desktop shortcuts.

Enabling HyShell

To enable HyShell, following configurations need to be done:

  1. Configuring applications for getting published for shared hosted desktop (in HyShell)

    1. Login into HyWorks Controller Management console with administrator rights
    2. In Add/ Edit application wizard -> Additional Settings screen
      1. In Access Settings section, select following options:
        1. Create Desktop Shortcut -> On shared hosted desktops
        2. Pin Application to Start Menu -> On shared hosted desktops
    3. Enable above options for all applications whose shortcuts need to be created on shared hosted desktop.

    Note

    HyShell will create shortcuts of those virtual applications, which are published on HyWorks and Which application shortcuts will get created:

    • Applications are published in HyWorks and enabled for shortcut creation on shared hosted desktops

    • Applications which are installed and published from the current server on which user has got connection

  2. Enable HyShell on Session Host Server

    1. Windows Session Host Server: Enable HyShell from Registry Editor Follow below steps to enable HyShell on session host server (Windows)

      1. Connect to session host server remotely using user credentials having administrator privileges

      2. Open Registry editor (Open Run prompt, type 'regedit' and press enter key)

      3. In Registry editor, navigate to following location:

        HKEY_LOCAL_MACHINE\SOFTWARE\Accops\Controller\EDC\SESSIONHOST

      4. Create or update following registry value

        1. Type: string
        2. Name: IsDesktopCustomizationEnabled
        3. Value: True

      5. Save registry value and exit registry editor

      6. Restart HyWorks Session Host Agent service

    2. Linux Session Host Server: Enable HyShell from configuration file Follow below steps to enable HyShell on session host server (Linux)

      1. Connect to Linux SHD server via SSH Client(if ssh enabled) or console session

      2. Open HyShell configuration file, command:

        sudo vi /etc/edcdvm/linuxDVM/hyShell/hyshell.config

      3. Set the value for IS_HYSHELL_ENABLED to 1.

      4. If any user added in EXCLUDE_USERS_LIST, then desktop restriction is not applicable for EXCLUDE_USERS_LIST

      5. Restart DVM Agent Service, by using following command, sudo systemctl restart edcdvm

      6. Linux SHD is now enabled with HyShell.

Pre-Post Scripts for HyShell

HyWorks v3.3, now allows Pre & Post batch scripts execution while executing HyShell as well, which means before launching HyShell these scripts will get executed as some deployment need some kind of per-post cleanups as well.

Windows Session Host

PowerShell Scripts: These scripts can be used by admin to enable any customization as per user/client requirements. E.g. pushing specific policies before and after HyShell execution. HyShell executes in user context and launch HyShell, other 2 scripts are executed in service context. mentioned below:

The scripts can be updated at (folder):

C:\Program Files (x86)\Accops\HyWorks\SessionHost\HyShellScripts\

Available Scripts names:

  1. HyShellLauncherScript.ps1 : It will be launched by AppLauncher. So runs in user context and launch HyShell. HyWorks admin can add their own customization code in this file which needs to execute in user context.

  2. HyShellServerPreScript.ps1 : This script will be executed in service context before creating shortcuts on the desktop. Should contain a set of command need to execute before creating shortcuts and current user don't have permission, such situations can be executed in the service context.

  3. HyShellServerPostScript.ps1 : This script will be executed in service context after the creation of shortcuts on the desktop. Should contain a set of command need to execute after creating shortcuts and current user don't have permission, such situations can be executed in the service context.

Linux Session Host

The scripts can be updated at (folder):

/etc/edcdvm/linuxDVM/hyshell/

Available Scripts names:

  1. HyShellLauncherPreScript.sh: This script will be executed in user context before creating shortcuts on the desktop. Should contain a set of command need to execute before creating shortcuts.

  2. HyShellServerPreScript.sh: This script will be executed in service context before creating shortcuts on the desktop. Should contain a set of command need to execute before creating shortcuts and current user don't have permission, such situations can be executed in the service context.

  3. HyShellLauncherPostScript.sh: This script will be executed in user context after creating shortcuts on the desktop. Should contain a set of command need to execute before creating shortcuts.

  4. HyShellServerPostScript.sh: This script will be executed in service context after the creation of shortcuts on the desktop. Should contain a set of command need to execute after creating shortcuts and current user don't have permission, such situations can be executed in the service context.