gtOrenoPC Installation and Configuration Guide

Version 1.2

Prerequisite

If you plan to use a VNC and haven't installed one yet, please install and configure it. Please configure the VNC to 1) listen for port 5900, and 2) allow loopback connection. If you have a Windows XP Professional, enable Remote Desktop from the control panel.
If you are using a NAT router, just open up TCP port 443 and forward it to the local IP address of your home PC.
Your client PCs (i.e., your end users) need to have Java Run Time (JRE) installed. The version 5 or higher are highly recommended.

Upgrade Notes

Upgrade from 1.x releases
You can just install the new version over the old version. Then, manually modify existing sproxy.conf or files under _intmenu directory as necessary.

Install

Run the installer. Make sure you answer "yes" to "Create gtOrenoPC Service" in the last popup screen if this is a new install.
Start "gtOrenoPC Command Prompt" from the start menu.
Using a text editor (like NotePad), modify the file called 'gencert.dat'. Change the following line and save the file.
```
cert_commonname = yourpc.dyndns.org
```
You must put your PC's (or router's) DNS hostname, which is the public name by which your PC (or router) is accessed externally from the Internet.
Type the following in the command prompt:
```
gencert -gen -99 -f 
```
This will prepare SSL certificate environment in your gtOrenoPC.
Type the following in the command prompt:
```
net start gtOrenoPC
```
This will start gtOrenoPC service.

Configure Your Router's Port Forwarding

If you are using a home router (a device to share a single internet connection), you probably need to configure "port-forwarding" of TCP port 443.

If your router is UPnP enabled (Universal Plug and Play), and parameter "upnp_auto" is set to "on" in sproxy.conf, gtOrenoPC will try to automatically configure the port-forwarding for you.

  upnp_auto = on

See event.log for results. If that succeeds, you do not have to manually configure the port forwarding.

Note: make sure you configure all necessary access controls for Orenosp before you make it available on the Internet.

Try to Access gtOrenoPC

Point your browser to your gtOrenoPC start page:
```
https://yourpc.dyndns.org/
```
Depending on your router's ability, you may not be access your external hostname from within your LAN. In that case, do this instead:
```
https://localhost/
```
In either case, your browser will warn you that the server's SSL certificate is not trusted. Just keep pressing "yes" for now.
The gtOrenoPC proxy redirects you to a HTML form authentication page. Enter username and password. Use default "user1" and "pass1". Now you should be seeing "Welcome to gtOrenoPC!" page.
Now click "SSL Port Forwarding". It will show you links to two Port Forwarding service pages. If your browser has Java 5 or higher you should choose the first one. Either page will start an Java applet. Java plugin will popup saying "this security certificate is not trusted". Just click "yes" for now. Then, it will again say that "Orenosp TnApplet" is not trusted. Just click "yes" again.
Now you should be seeing the applet's box. Just press "login". In the applet's status line, you should see "Successfully logged in!".
Now start your remote desktop client, either "Remote Desktop Connection" or your favorite VNC client. An VNC client is also bundled with gtOrenoPC and is ready to use. Just click "VNC Java viewer" on the Port Forwarding Applet page. Use the following connect information.
```
Remote Desktop, use "127.0.0.2:3390"
VNC,            use "127.0.0.2:0"
VNC (alternate), use "127.0.0.2:1"
```
Use "VNC (alternate)" connection if you enabled your VNC on display 1, rather than default 0.
Note: If your client PCs are Mac OS X, you need to do the following before running the TnApplet:
```
sudo ifconfig lo0 inet 127.0.0.2 add
sudo ifconfig lo0 inet 127.0.0.3 add
...
```

Configuration Files

sproxy.conf : main configuration file
passwd.txt : user password file
grpdb.txt : user group file
ip_allow.txt : IP-based access control file

gtOrenoPC Monitor Connection Monitoring

By default, gtOrenoPC Monitor page can be accessed with "/_monitor" path on any virtual hostnames that gtOrenoPC is set to serve. If you configure gtOrenoPC to serve for "yourpc.dyndns.org:443", you can access the monitor page with the following url:

https://yourpc.dyndns.org/_monitor

To further tighten security, access control to the monitor page is restricted to

users who is a member of "admin" group, and
client PC that resides in the intranet (192.168.x.y)

You can change these settings. Look for "Monitoring Module" section in your sproxy.conf file.

Informational Log Files

These files are created either in ORENOSP_HOME or "logs" directory under it depending on your configuration.

event.log
access.log
spr_session.log

Integration with Remote Desktop Web Connection (TSWeb)

Remote Desktop Web Connection (hereafter called TSWeb) is an IIS feature that allows IE on Windows to connect to a remote desktop of Windows XP Professional or Windows Terminal Services. It is actually composed of an ActiveX downloadable program and a simple static web page. There are two ways to integrate TSWeb into gtOrenoPC.

Use TSWeb component directly from gtOrenoPC. Do not use IIS.
Let IIS to send TSWeb component via gtOrenoPC.

Either way, you have to modify the default TSWeb's default.htm to adapt it for port-forwarded environments. Here we describe procedures for the first option.

First you have to copy the TSWeb componet files to gtOrenoPC's folder. In order to do this, you need to have access to an installed TSWeb component somewhere. If you installed IIS's TSWeb component you can use that. Please note if you run gtOrenoPC on other OSes than Windows XP Professional or Windows Server's, you might not be permitted to copy the TSWeb component with regard to Windows licensing. Please refer to Microsoft documentations.
```
xcopy %SystemRoot%\web\TSWeb "\Program Files\gtOrenoPC\_intmenu\TSWeb\"
or
xcopy %SystemDrive%\InetPub\wwwroot\TSWeb "\Program Files\gtOrenoPC\_intmenu\TSWeb\"
```
This way, the copied TSWeb folder is accessible via /_intmenu/TSWeb/.
Copy gtOrenoPC-supplied web pages file to the copied TSWeb folder.
```
cd "\Program Files\gtOrenoPC\_intmenu"
copy "gthelp\tsweb\*.htm" TSWeb
```
Included file(s)
secure.htm : allows port number ("127.0.0.2:3390")
Diff files (secure.htm.diff) are also in gthelp\tsweb directory.
Now the Remote Desktop Web Connection start page is accessible on:
```
https://your-external-site/_intmenu/TSWeb/secure.htm
```
Note: TsWeb start page (Default.htm or gtOrenpPC-supplied secure.htm) contains a specific class ID and version number for the ActiveX component. gtOrenpPC-supplied secure.htm contains the class ID and version number for the ActiveX component that comes with Windows Server 2003 SP 0.
You can find the appropriate class ID and version number by looking at Default.htm that came with your TsWeb package. (Look for "CLASSID"). Then change the class ID and version number in secure.htm to those numbers.
Examples:
- TsWeb in Windows 2003 SP 0
  CLASSID="CLSID:7584c670-2274-4efb-b00b-d6aaba6d3850"
  CODEBASE="msrdp.cab#version=5,2,3790,0"
- TsWeb in Windows XP SP2
  CLASSID="CLSID:9059f30f-4eb1-4bd2-9fdc-36f43a218f4a"
  CODEBASE="msrdp.cab#version=5,1,2600,2180"
You can find more advanced TSWeb page at: Remote Network Technology. Online demo is also available.

Further Configuration

If you need to customize gtOrenoPC, please follow instructions below.

If you want to add or change username and/password, edit passwd.txt. Change the following lines in passwd.txt:
```
# simple
user1:pass1
user2:pass2
```
If you want to use Windows passwords to validate client's passwords, edit passwd.txt. Find and enable the following lines:
```
john::: os_auth=1
Administrator::: os_auth=1
```

If you want to restrict a service to certain users, uncomment-out the following lines in sproxy.conf.

# only user1 is permitted to access RDP.
# only user1 and user2 are permitted to access VNCs (vnc and vnc1).
# Users in group "mail" are permitted to access POP service.
# (groups must be defined in grpdb.txt file).

proxy_authck_assign = /vpn/host1/rdp   fmusers -allow="user1"
proxy_authck_assign = /vpn/host1/vnc*  fmusers -allow="user1,user2"
proxy_authck_assign = /vpn/host1/pop   fmusers -allow="@mail"

User group definitions are stored as text in grpdb.txt. Group names can be specified in "-allow" option of proxy_authck_assign paramter, by prefixing a group name with "@".

If you want to add another service, follow this instruction
For example, we want to add access to VMWare Server 1.0 running on the same PC. Add the following:

tunnel_dest_name = host1:vmware   127.0.0.1:902    raw

tunnel_pass_by = label /vpn/host1/vmware         host1:vmware

Also add the following line to _intmenu\vpn\tnlis.conf:

listen_addresses: 127.0.0.2@3390=/vpn/host1/rdp \
                  127.0.0.2@5900=/vpn/host1/vnc \
                  127.0.0.2@9002=/vpn/host1/vmware \ <=== ADD this line
                  127.0.0.2@5901=/vpn/host1/vnc1

Now, you can enter "127.0.0.2:9002" in login box of VMware Server Console to connect to the VMware Server on your remote PC.

If you want to add another PC, edit sproxy.conf. Add the following:

proxy_sslvpn_url = /vpn/host2/*

tunnel_dest_name = host2:rdp   192.168.1.102:3389    raw
#you can also specify the hostname if your PC obtains IP via DHCP.
#tunnel_dest_name = host2:rdp   my2ndpc:3389    raw

tunnel_pass_by = label /vpn/host2/rdp         host2:rdp

Also add the following line to _intmenu\vpn\tnlis.conf:

listen_addresses: 127.0.0.2@3390=/vpn/host1/rdp \
                  127.0.0.2@5900=/vpn/host1/vnc \
                  127.0.0.3@3390=/vpn/host2/rdp \ <=== ADD this line
                  127.0.0.2@5901=/vpn/host1/vnc1

This set of params will enable forwarded Remote Desktop connection on PC with IP 192.168.1.102 (my2ndpc). From a remote PC, connect to "127.0.0.3:3390".

If you want to restrict client access based on client's IP address, edit ip_allow.txt.

# 0.0.0.0/0 matches any IPv4 address
#0.0.0.0/0
# 192.168.1.xxx
192.168.1.0/24
# list individual IPs here
207.46.249.252
207.46.156.156

If you want to make gtOrenoPC Monitor accessible to SSL VPN users, change the following in sproxy.conf:

# --- OLD ---
proxy_listen_name = https-mon   0.0.0.0@4443   https
proxy_mon_xurl = https-mon://*/_monitor
#
proxy_authip_url = /_monitor* -allow="127.0.0.1,192.168.0.0/16"

proxy_authck_assign = /_monitor*  fmusers  -allow="@admin,@users"


# --- NEW ---
proxy_mon_xurl = /_monitor

# THE FOLLOWING SHOULD NOT BE CHANGED
proxy_authck_assign = /_monitor*  fmusers  -allow="@admin,@users"

With the above change, you can access gtOrenoPC Monitor from anywhere with "https://your-domain-name/_monitor". You may also want to modify the link in GTORENOPC_HOME\_intmenu\menu.html to "/_monitor".

Restarting gtOrenoPC

If you have modified sproxy.conf file, you must restart gtOrenoPC. For other files, ip_allow.txt, passwd.txt and grpdb.txt, you do NOT need to restart gtOrenoPC.

Manually Configuring UPnP-controlled Port-Forwarding

If upnp_auto is on, gtOrenoPC will add a port-forwarding to the router when it starts up and will also delete the port-forwarding when stopping. In cases when you want to manipulate UPnP-controlled port forwarding, you can use winupnp.exe tool program. Type "winupnp -h" to see help.

Uninstalling gtOrenoPC

Stop gtOrenoPC service and uninstall gtOrenoPC from the control panel.

Go back to gtOrenoPC index page

admin@orenosv.com