ThinLinX Support > ThinLinX Help Desk > Knowledgebase

Search help:

Does TLXOS include a VNC server?


Yes, TLXOS has a VNC-based session shadowing feature, but it doesn't work the way that you probably think it does.  TLXOS uses stunnel-encapsulated reverse VNC, for three reasons:

  1. Forward VNC connections potentially have a problem with lack of informed user consent, because the protocol lacks any kind of connection event hook to hang a (reliable) consent dialog on.  By using a reverse connection, the console operator must initiate the connection, so that they are implicitly aware of, and have implicitly consented to, being shadowed.
  2. Standard VNC lacks any form of encryption and is therefore vulnerable to network interception.  SSL-enhanced VNC variants exist, but there is no common standard, which limits interoperability.  We chose to use stunnel as an external encryption helper as a relatively generic solution that does not require you to use any specific VNC client.
  3. Forward VNC cannot traverse NAT boundaries, e.g. a DSL modem connection to the Internet, unless the site goes to great trouble to set up port forwarding at the NAT boundary.  Reverse VNC sidesteps this issue.

TLXOS session shadowing can be accessed via the <ctrl><alt>s keyboard shortcut (if you're already in a fullscreen remote desktop you'll have to exit fullscreen mode / break keyboard lock first, it's easiest to do this before starting a remote desktop session).  At present the end user has to enter some data (the hostname/IP address and TCP port number of the shadower), but in future we will add controls to TMS and Tlxconfig UIs to allow administrators to preset this information.  The user is always going to have to press a button to initiate the connection, however.

You can either use one TLXOS device to shadow another, or set up your own shadower using Stunnel and the VNC client of your choice.  A separate knowledgebase article has instructions on how to set up a TLXOS shadower on Windows.  To set up a TLXOS device as a shadower, change its mode to VNC, change Security to SSL, and set Command Line Args to "-listen".  The shadowee will then be able to connect to the shadower on port 5500.

We realise that there are use cases where non-interactive shadowing is a legitimate and reasonable requirement (e.g. when the TLXOS device never runs anything like a remote desktop session and no passwords or personal information is ever entered, such as digital signage and some kiosk uses), but our apps have no way of determining what your use case is, so we have to err on side of caution.

For such cases we have provided a simpler (unencrypted, consentless, forward VNC) alternative, that you can use at your own risk. In recent versions of TMS this option is located at Device->Network Configuration->Optional Services->Configure VNC Server.  In recent versions of Tlxconfig, it is located in the Misc tab.  You can optionally add an access password, but this won't improve security much - the encryption used is weak, and is only used for authentication purposes; for session encryption you need SSL.


Related articles How can I reconfigure TLXOS while an app is running / what are the keyboard shortcuts?
Why is my screen black while viewing an RDP/Horizon console session via VNC?
How secure is TLXOS? / TLXOS design overview
Running multiple fullscreen desktops/applications
How do I get out of fullscreen mode?
Article details
Article ID: 23
Category: Frequently Asked Questions
Date added: 2019-05-29 12:27:27
Views: 1787

« Go back