Steve92

Forum Replies Created

Viewing 15 posts - 1 through 15 (of 56 total)
  • Author
    Posts
  • in reply to: Disable warning about authenticity of host #53066
    Steve92
    Participant

    Hi!

    What logs exactly would you need ?

    Those collected on client side with this command ?

    tar -cvp –exclude ‘cache*’ –exclude ‘images’ –exclude ‘temp’   $HOME/.nx | gzip -c >nxdir.tar.gz

    I can’t send all the the logs for security reasons, please could you be more precise and tell me just a few crucial log files you need to understand the problem ?

    Thanks,

    Regards,

    Steve.

    in reply to: Disable warning about authenticity of host #53051
    Steve92
    Participant

    Please, could you send your haproxy.cfg file ?

    Thanks!

    in reply to: Disable warning about authenticity of host #53031
    Steve92
    Participant

    Hi!

    I’ve reproduced the problem on a 2nd “Debian 12” environment:

    I’ve installed HAProxy 2.6.12 in TCP mode to do load balancing (round robin) between 2 NoMachine 8.16.1 ECS (Enterprise Cloud Server) accepting NX protocol.

    I use 4 VM (Debian 12):

    1 NoMachine Client (NX or SSH)

    1 HAProxy

    ECS 1 = 1st member of the cluster

    ECS 2 = 2nd member of the cluster

    It’s working but I still get a server identity warning each time I connect to an ECS of the cluster. 🙁

    The RSA public keys of the 2 ECS of the cluster are not saved together in “/home/my_user/.nx/config/hosts.crt”.

    It seems that each time I connect to an ECS, its public key overwrites the key of the other ECS already in the hosts.crt file.

    I actually don’t understand the logic of this behaviour.

    NB: ECS supports SSH protocol and it works like a charm, I get a server identity warning only the 1st time I connect to HAProxy (I see the public key of HAProxy server in /home/my_user/.ssh/known_hosts).

    When you write “We are unable to reproduce the problem”, are you using 4 VM like I am ?

    Thanks,

    Regards,

    Steve.

    in reply to: Disable warning about authenticity of host #52975
    Steve92
    Participant

    Hi!

    This problem is strange, I did a quick testing on !M client, after deleting this hosts.crt file, and I see

    /home/my_user/.nx/config/hosts.crt

    is re-created and is updated with only the public key of one of the 2 members of the cluster handled by HAProxy (and go-mmproxy), even after many logins well balanced.

    Very surprising !

    I tried to manually add the public keys (/usr/NX/etc/keys/host/nx_host_rsa_key.crt) of the 2 ECS of the cluster to

    /home/my_user/.nx/config/hosts.crt on !M client.

    Then I protected the file with:

    chown root:root hosts.crt

    chmod 400 hosts.crt

    At each logging from !M client, a warning is displayed saying the file hosts.crt is write protected that is a little bit better than a host authenticity warning.

    I have to investigate further.

    Regards,

    Steve

     

    in reply to: Disable warning about authenticity of host #52959
    Steve92
    Participant

    Hi,

    No solution to solve this problem that occurs only with NX protocol ? 🙁

    Regards,

    Steve.

    in reply to: NX vs SSH #52919
    Steve92
    Participant

    Hi!

    I know this article but, alas, it is not precise enough.

    We would like metrix of performances benchmarks between SSH and NX.

    SSH used on just part of the flow penalizes the end-to-end connection ?

    What % performance loss can be expected if using SSH instead of NX in the following configurations ?

    Basic :

    [ !M Client ] == SSH ==> [ ECS  ] == NX ==> [ ED or SBTS ]

    Final clustering (ECS A + ECS B) architecture :

    [ !M Client ] == SSH ==> [ HAProxy ] == SSH Proxy ==> [ go-mmproxy + (ECS A or ECS B) ] == NX ==> [ ED or SBTS ]

     

    Using SSH would be necessary if there’s no solution to remove the NX authenticity warning on the HAProxy cluster (see  https://forum.nomachine.com/topic/disable-warning-about-authenticity-of-host).

    It would be a shame to lose X% of performance because of this…

    Regards,

    Steve.

    Steve92
    Participant

    Hi Britgirl,

    Thanks for this answer.

    Let’s consider a cluster of 2 ECS on “VM A” and “VM B”.

    I fear “data created when new sessions or connections are established” could be a problem.

    Q1- What happens if a user is connected to “VM A”, closes !M window (or is diconnected, due to a technical problem) and logs in “VM B” ?

    ” other data is generated while the server is running ”

    Q2- What is exactly this data ?

    Q3- What impact for the user if this data is different between nxDB on “VM A” and nxDB on “VM B” ?

    “We do not synchronize databases between the two ECS servers, but they can have the same nodes added to them.”

    Q4- So, that would be OK to create same nodes , groups of nodes, rules …on “VM A” and “VM B” (with  a script) ?

    Q5- No problem with internal data (not handled by administrator) ?

    Q6- Do you have clients using this architecture ?

    Q7- Could a tool like SymmetricDS be used to synchronize SQLite nxDB databases between multiple ECS NoMachines in a cluster ? It does not seem to be possible due to proprietary format of nxDB… ?

    Regards,

    Steve.

    in reply to: Active/active clustering #52909
    Steve92
    Participant

    Hi,

    While, I suppose, you enjoy your holidays 😉 , I did some testing.

    Q1- I can confirm: NO with standard settings. Any solution with special settings ?

    Q2- I can confirm: NO with standard settings. Any solution with special settings ?

    Q3- YES, for both NX & SSH !

    Q4- It works ! “go-mmproxy” (nice piece of open source) translates PROXY protocol (HAProxy) to standard NX or SSH and allows forwarding of the IP address of clients to ECS.

    The only problem with NX (not SSH) is the warning box about authentication (see my other post).

    !M logs show well the IP address of clients and not the one of HAProxy 🙂 .

    Have you ever test this configuration ? Is it used in big enterprises among your clients ?

    Regards,

    Steve.

    in reply to: NX vs SSH #52908
    Steve92
    Participant

    Hi!

    Does NX actually offer much better performances than SSH ?

    In what use cases ? In what measure ?

    (forget the 2 last questions in 1st post, they are raised in my other posts)

    Thanks,

    Steve.

    in reply to: Disable warning about authenticity of host #52907
    Steve92
    Participant

    Hi!

    I’ve tested this new option, it’s half a success.

    I get only one warning box (the 1st one beginning with “The authenticity of host can’t be established…”), I don’t have any more the 2nd box displaying the key.

    Any mean to get rid of this pop-up ?

    NB: if I use SSH instead of NX, I don’t have the problem even without ticking this new option. I don’t have any warning box.

    Is it possible to have the same behaviour (no warning at all) with NX than with SSH ? How ?

    The use of a load balancer should be transparent to users.

    Regards,

    Steve.

    in reply to: Active/active clustering #52838
    Steve92
    Participant

    Hi!

    I’m still very interested in this subject, it’s very important for the last part of the POC.

    Q1 – Does ECS V8 support PROXY protocol with NX so ECS can see the IP address of the client (and not the address of HAProxy) ?

    I’ve done some testing, it doesn’t seem with standard settings. Is there something to set to make it work ?

    Q2 – Does ECS V8 support PROXY protocol with SSH ?

    I’ve done some testing, it doesn’t seem with standard settings. Is there something to set to make it work ?

    Q3 – Do we need to install mmproxy or better go-mmproxy on both ECS to allow them to communicate with HAProxy, using PROXY protocol ? With NX servers ? With SSH servers ?

    Q4 -Have you ever test this configuration ? Is it used in big enterprises among your clients ?

    ___________________ ==> [ go-mmproxy + !M ECS-A ] ==>

    !M Client ==> HAProxy ==|| ________________________ ||==> !M ED or SBTS

    ___________________ ==> [ go-mmproxy + !M ECS-B ] ==>

    HAProxy balances the load between an ECS cluster with 2 members A & B and forwards IP adresses of the clients to the ECS servers thanks to “PROXY protocol”.

    Thanks,

    Regards,

     

    Steve.

    in reply to: Disable warning about authenticity of host #52820
    Steve92
    Participant

    Could you be more precise ?

    in reply to: Active/active clustering #52771
    Steve92
    Participant

    Hi!

    The idea would be to use HAProxy to balance load on at least 2 ECS, without using “ECS Cluster” products since they run in active/passive mode, they don’t offer load balancing but only failover.

    HAProxy uses PROXY protocol.

    Does the implementation on the NoMachine ECS V8 support the PROXY protocol ?

    If it doesn’t, from my understanding, it means that IP source addresses (!M Clients) will be unknown for the NoMachine ECS in cluster (they will only see IP add. of HAProxy).

    It would be very annoying because we do need traceablity for some sensitive environments.

    Would the alternative solution be to use SSH instead of NX (I found some documentation saying ssh servers support PROXY protocol) ?

    SSH and NX are quite similar, so I hope NXserver support PROXY protocol too…

    Could you please clarify that ?

    Thanks,

    Steve.

    in reply to: Crucial folders & files to backup ? #52703
    Steve92
    Participant

    Hi,

    Is this command actually reliable ?

    Some files seem to have been forgotten…

    Steve.

    in reply to: Active/active clustering #52702
    Steve92
    Participant

    Hi,

    When, very approximatively, will V9 be released ?

    We can’t wait for it and have to find a solution to get load balancing with v8.

    Are ECS compatible with HAProxy solution in TCP (NX) mode ?

    What third-party solution can handle load balancing between many ECS ?

    Thanks,

    Regards,

    Steve.

Viewing 15 posts - 1 through 15 (of 56 total)