Forum Replies Created
-
Posts
-
Hi!
What logs exactly would you need ?
Those collected on client side with this command ?
tar -cvp –exclude ‘cache*’ –exclude ‘images’ –exclude ‘temp’ $HOME/.nx | gzip -c >nxdir.tar.gz
I can’t send all the the logs for security reasons, please could you be more precise and tell me just a few crucial log files you need to understand the problem ?
Thanks,
Regards,
Steve.
Hi!
I’ve reproduced the problem on a 2nd “Debian 12” environment:
I’ve installed HAProxy 2.6.12 in TCP mode to do load balancing (round robin) between 2 NoMachine 8.16.1 ECS (Enterprise Cloud Server) accepting NX protocol.
I use 4 VM (Debian 12):
1 NoMachine Client (NX or SSH)
1 HAProxy
ECS 1 = 1st member of the cluster
ECS 2 = 2nd member of the cluster
It’s working but I still get a server identity warning each time I connect to an ECS of the cluster. 🙁
The RSA public keys of the 2 ECS of the cluster are not saved together in “/home/my_user/.nx/config/hosts.crt”.
It seems that each time I connect to an ECS, its public key overwrites the key of the other ECS already in the hosts.crt file.
I actually don’t understand the logic of this behaviour.
NB: ECS supports SSH protocol and it works like a charm, I get a server identity warning only the 1st time I connect to HAProxy (I see the public key of HAProxy server in /home/my_user/.ssh/known_hosts).
When you write “We are unable to reproduce the problem”, are you using 4 VM like I am ?
Thanks,
Regards,
Steve.
Hi!
This problem is strange, I did a quick testing on !M client, after deleting this hosts.crt file, and I see
/home/my_user/.nx/config/hosts.crt
is re-created and is updated with only the public key of one of the 2 members of the cluster handled by HAProxy (and go-mmproxy), even after many logins well balanced.
Very surprising !
I tried to manually add the public keys (/usr/NX/etc/keys/host/nx_host_rsa_key.crt) of the 2 ECS of the cluster to
/home/my_user/.nx/config/hosts.crt on !M client.
Then I protected the file with:
chown root:root hosts.crt
chmod 400 hosts.crt
At each logging from !M client, a warning is displayed saying the file hosts.crt is write protected that is a little bit better than a host authenticity warning.
I have to investigate further.
Regards,
Steve
Hi!
I know this article but, alas, it is not precise enough.
We would like metrix of performances benchmarks between SSH and NX.
SSH used on just part of the flow penalizes the end-to-end connection ?
What % performance loss can be expected if using SSH instead of NX in the following configurations ?
Basic :
[ !M Client ] == SSH ==> [ ECS ] == NX ==> [ ED or SBTS ]
Final clustering (ECS A + ECS B) architecture :
[ !M Client ] == SSH ==> [ HAProxy ] == SSH Proxy ==> [ go-mmproxy + (ECS A or ECS B) ] == NX ==> [ ED or SBTS ]
Using SSH would be necessary if there’s no solution to remove the NX authenticity warning on the HAProxy cluster (see https://forum.nomachine.com/topic/disable-warning-about-authenticity-of-host).
It would be a shame to lose X% of performance because of this…
Regards,
Steve.
Hi Britgirl,
Thanks for this answer.
Let’s consider a cluster of 2 ECS on “VM A” and “VM B”.
I fear “data created when new sessions or connections are established” could be a problem.
Q1- What happens if a user is connected to “VM A”, closes !M window (or is diconnected, due to a technical problem) and logs in “VM B” ?
” other data is generated while the server is running ”
Q2- What is exactly this data ?
Q3- What impact for the user if this data is different between nxDB on “VM A” and nxDB on “VM B” ?
“We do not synchronize databases between the two ECS servers, but they can have the same nodes added to them.”
Q4- So, that would be OK to create same nodes , groups of nodes, rules …on “VM A” and “VM B” (with a script) ?
Q5- No problem with internal data (not handled by administrator) ?
Q6- Do you have clients using this architecture ?
Q7- Could a tool like SymmetricDS be used to synchronize SQLite nxDB databases between multiple ECS NoMachines in a cluster ? It does not seem to be possible due to proprietary format of nxDB… ?
Regards,
Steve.
Hi,
While, I suppose, you enjoy your holidays 😉 , I did some testing.
Q1- I can confirm: NO with standard settings. Any solution with special settings ?
Q2- I can confirm: NO with standard settings. Any solution with special settings ?
Q3- YES, for both NX & SSH !
Q4- It works ! “go-mmproxy” (nice piece of open source) translates PROXY protocol (HAProxy) to standard NX or SSH and allows forwarding of the IP address of clients to ECS.
The only problem with NX (not SSH) is the warning box about authentication (see my other post).
!M logs show well the IP address of clients and not the one of HAProxy 🙂 .
Have you ever test this configuration ? Is it used in big enterprises among your clients ?
Regards,
Steve.
Hi!
Does NX actually offer much better performances than SSH ?
In what use cases ? In what measure ?
(forget the 2 last questions in 1st post, they are raised in my other posts)
Thanks,
Steve.
Hi!
I’ve tested this new option, it’s half a success.
I get only one warning box (the 1st one beginning with “The authenticity of host can’t be established…”), I don’t have any more the 2nd box displaying the key.
Any mean to get rid of this pop-up ?
NB: if I use SSH instead of NX, I don’t have the problem even without ticking this new option. I don’t have any warning box.
Is it possible to have the same behaviour (no warning at all) with NX than with SSH ? How ?
The use of a load balancer should be transparent to users.
Regards,
Steve.
Hi!
I’m still very interested in this subject, it’s very important for the last part of the POC.
Q1 – Does ECS V8 support PROXY protocol with NX so ECS can see the IP address of the client (and not the address of HAProxy) ?
I’ve done some testing, it doesn’t seem with standard settings. Is there something to set to make it work ?
Q2 – Does ECS V8 support PROXY protocol with SSH ?
I’ve done some testing, it doesn’t seem with standard settings. Is there something to set to make it work ?
Q3 – Do we need to install mmproxy or better go-mmproxy on both ECS to allow them to communicate with HAProxy, using PROXY protocol ? With NX servers ? With SSH servers ?
Q4 -Have you ever test this configuration ? Is it used in big enterprises among your clients ?
___________________ ==> [ go-mmproxy + !M ECS-A ] ==>
!M Client ==> HAProxy ==|| ________________________ ||==> !M ED or SBTS
___________________ ==> [ go-mmproxy + !M ECS-B ] ==>
HAProxy balances the load between an ECS cluster with 2 members A & B and forwards IP adresses of the clients to the ECS servers thanks to “PROXY protocol”.
Thanks,
Regards,
Steve.
Hi!
The idea would be to use HAProxy to balance load on at least 2 ECS, without using “ECS Cluster” products since they run in active/passive mode, they don’t offer load balancing but only failover.
HAProxy uses PROXY protocol.
Does the implementation on the NoMachine ECS V8 support the PROXY protocol ?
If it doesn’t, from my understanding, it means that IP source addresses (!M Clients) will be unknown for the NoMachine ECS in cluster (they will only see IP add. of HAProxy).
It would be very annoying because we do need traceablity for some sensitive environments.
Would the alternative solution be to use SSH instead of NX (I found some documentation saying ssh servers support PROXY protocol) ?
SSH and NX are quite similar, so I hope NXserver support PROXY protocol too…
Could you please clarify that ?
Thanks,
Steve.