###################################################################### # # # Copyright (c) 2001, 2023 NoMachine, http://www.nomachine.com. # # # # All rights reserved. # # # ###################################################################### # # Configuration file format version. # ConfigFileVersion 4.0 # # Set the log level of NX Server. NX Server logs to the syslog all # the events that are <= to the level specified below, according to # the following conventions. # # Note that NX Server uses level 6 in the syslog to log the event. # This is intended to override settings on the local syslog configur- # ation that would prevent the event from being actually logged. # # The suggested values are: # # 5: Only relevant events are logged such as established client # connections, errors and warnings. # # 6: This is the default value. Important events are logged such as # established client connections, login, session startup, logout, # errors and warnings. # # 7: Debug log level. # #SessionLogLevel 6 # # Set how often NoMachine must check for updates on the repository. # Default value, 172800 seconds, allow to check once every two days. # To disable check for updates, set this key to 0. # #UpdateFrequency 172800 # # Specify the TCP port where the NX service is listening. # #NXTCPPort 4000 # # Specify the UDP port where the NX service is listening. To disable # UDP listening, set this key to 0. # #NXUDPPort 4000 # # Enable support for NAT-PMP and UPnP networking protocols to redirect # a port from server side to allow end-users to connect to the server # through a firewall. Accepted values are: # # NXTCP: Redirect tcp port of the nxd service. # # NXUDP: Redirect udp port of the nxd service. # # SSH: Redirect port of the SSH server. # # HTTP: Redirect port of the HTTP server. # # none: Do not redirect port. Connections via NX, SSH or HTTP # protocol are possible only if NoMachine host and user's # machine are on the same LAN or server has a public IP. # #EnableUPnP none # # Enable UPnP support in the session to map the port on the gateway # for UDP communication when the NX protocol is used. This requires # that the EnableUPnP key includes the 'NX' value. Accepted values # are: # # 1: Enabled. Use UPnP to map the UDP port for the session. # # 0: Disabled. Do not use UPnP to map the UDP port. # #EnableUPnPSession 0 # # Specify the port where the NX service will be redirected using NAT- # PMP or UPnP to allow end-users to connect to the server through a # firewall. # #NXTCPUPnPPort "" # # Specify the port where the NX UDP service will be redirected using NAT- # PMP or UPnP to allow end-users to connect to the server through a # firewall. # #NXUDPUPnPPort "" # # Specify the port where the SSHD service will be redirected using # NAT-PMP or UPnP to allow end-users to connect to the server through # a firewall. # #SSHUPnPPort "" # # Specify the port where the HTTP service will be redirected using # NAT-PMP or UPnP to allow end-users to connect to the server through # a firewall. # #HTTPUPnPPort "" # # Specify a port range, in the form of minport-maxport, to use UDP # communication for multimedia data. Alternatively, specify a comma- # separated list of ports or a single port. In this last case, only # one connection will be able to use UDP at any given time. As a note, # the Internet Assigned Numbers Authority (IANA) suggests the range # 49152 to 65535 for dynamic or private ports. # #UDPPort 4011-4999 # # Specify the TCP port where the SSHD daemon is listening on the NX # Server host machine. # #SSHPort 22 # # Set the base display number for NX sessions. # #DisplayBase 1001 # # Set the maximum number of displays reserved for NX sessions. # #DisplayLimit 0 # # Set the maximum number of concurrent connections. # #ConnectionsLimit 0 # # Specify the threshold for printing an alert into server log when # the number of concurrent connections reaches that value. This key # must be used in conjunction with the ConnectionsLimit key. # #ConnectionsLimitAlert 0 # # Specify the maximum number of concurrent connections that can be # run by a single user. # #ConnectionsUserLimit 0 # # Specify the threshold for printing an alert into server log when # the number of concurrent users reaches that value. This key # must be used in conjunction with the ConnectionsUserLimit key. # #ConnectionsUserLimitAlert 0 # # Set the maximum number of concurrent virtual desktops. # #VirtualDesktopsLimit 0 # # Specify the threshold for printing an alert into server log when # the number of concurrent users reaches that value. This key # must be used in conjunction with the VirtualDesktopsLimit key. # The alert threshold should not be higher than the number of virtual # desktops allowed by the license. # #VirtualDesktopsLimitAlert 0 # # Specify the maximum number of concurrent Linux virtual desktops # that can be run by a single user. By default a user can run as # many virtual desktops as they are allowed on the server. By setting # this value to 1, user has to terminate their disconnected virtual # desktop before starting a new one. # #VirtualDesktopsUserLimit 0 # # Specify the threshold for printing an alert into server log when # the number of concurrent users reaches that value. This key # must be used in conjunction with the VirtualDesktopsUserLimit key. # #VirtualDesktopsUserLimitAlert 0 # # Specify absolute path of the custom script to be executed when any # of the threshold alarms set for users or connections limits is # reached. The script can accept username, client IP, type of alarm # (for connections, users connections, virtual desktops and users # virtual desktops limit) as its input. # #UserScriptAfterLimitAlarm "" # # Set for how long NX Server will retain data related to terminated # sessions in its session history. # # <0: Never delete data from NX session history. # # 0: Disable NX sessions history. # # >0: Keep data in session history for this amount # of seconds. # # The default value, 2592000 seconds, lets NX Server keep session data # for 30 days. # #SessionHistory 2592000 # # Allow NX Server to terminate oldest disconnected sessions: # # 1: Enabled. Enable the automatic kill of the disconnected # sessions. # # 0: Disabled. Disconnected sessions are never terminated. # # When this option is set and the maximum number of concurrent sessions # has been reached, the server will kill the oldest disconnected sessions to # make room for the new session. # #EnableAutokillSessions 0 # # Configure the NX Server behavior when the maximum number of allowed # connections is reached. An already connected user can be asked to # accept or refuse to disconnect to make room for the incoming user # (this is the default), or can be automatically disconnected or # never disconnected. # # 0: Disabled. The server prompts the connected user to accept or # refuse to disconnect for making room for the incoming user. If # no choice is made, the user is automatically disconnected. # # 1: Enabled. The server automatically disconnects the connected user # to make room for the connecting user. No message is issued to # the already connected user. # # 2: None. The server prompts the connected user to accept or # refuse to disconnect for making room for the incoming user. If # no choice is made, the server doesn't disconnect the user and # advise the incoming user that the maximum number of allowed # connections is reached. # # 3: Silent. The server never notifies desktop owners about incoming # users, incoming users are informed that the maximum number of # allowed connections is reached. # AutomaticDisconnection 0 # # Enable persistent sessions for users. If the option is followed by # the keyword 'all', all users are allowed to run persistent sessions. # Alternatively, it can be followed by a list of comma-separated user- # names. The default value is 'all' which corresponds to enabling # persistent sessions for all users. Values specified are overridden # by the value set for the 'DisablePersistentSession' key. # #EnablePersistentSession all # # Disable persistent sessions for users. If the option is followed by # the keyword 'all', no user is allowed to run persistent sessions. Al- # ternatively, the option can be followed by a list of comma-separated # usernames. The default value is the empty string which corresponds # to disabling persistent sessions for no user. The values specified # override the values set for the 'EnablePersistentSession' key. # #DisablePersistentSession "" # # Enable or disable clipboard: # # client: The content copied on the client can be pasted inside the # NX session. # # server: The content copied inside the NX session can be pasted # on the client. # # both: The copy&paste operations are allowed between both the # client and the NX session and vice versa. # # none: The copy&paste operations between the client and the NX # session are never allowed. # #EnableClipboard both # # Enable or disable NX users DB: # # 1: Enabled. Only users listed in NX users DB can login to the NX # server. # # 0: Disabled. All the authenticated users can login. # # If the NX user DB is disabled, any user providing a valid password # from local DB or through SSHD authentication, can connect to the NX # system. This is likely to be the default when SSHD authentication # with PAM is enabled. # #EnableUserDB 0 # # Enable or disable NX password DB: # # 1: Enabled. Use NX password DB to authenticate users. # # 0: Disabled. Use SSHD + PAM authentication. # # System administrators can enable a restricted set of users to con- # nect to NX Server by setting EnableUserDB to 1 and adding # those users to the DB. If user is enabled to connect, his/her pass- # word will be verified against the current PAM settings by the SSHD # daemon. # # If both 'EnableUserDB' and 'EnablePasswordDB' are set to 0, any # user being authenticated by SSHD account will be enabled to connect # to the system. # EnablePasswordDB 0 # # Specify policies as a comma-separated list of options to tune the # behaviour of clients 4 or higher and restore behaviors typical of # version 3.x. Options accept value 1 (enabled) and 0 (disabled). # This is the list of the available options: # # autocreate=1 run a new virtual desktop automatically when the ses- # sion type is pre-defined in the player configuration. # # autoconnect=1 reconnect automatically the user's virtual desktop. # # automigrate=1 don't connect to a virtual desktop when there is a # a user already connected but disconnect and reconnect # the session on the new side (session migration). # # desktop=1 list all desktop types set in the AvailableSessionTypes # key. # # dialog=1 display the disconnect/terminate dialog. # # xsessions=1 list all desktop types which are available in # /usr/share/xsessions. # # udp=1 enable UDP with value 1, disable it with value 0. # ConnectPolicy autocreate=1,autoconnect=1,automigrate=1,desktop=0,dialog=1,xsessions=0,udp=1 # # Enable or disable starting the NoMachine HTTP server. If enabled, # the server will be started automatically at every reboot. # # 1: Automatic. Enable automatic starting of the HTTP server. # # 0: Manual. Disable automatic starting of the HTTP server. # The server can be started manually. # #StartHTTPDaemon Automatic # # Enable or disable starting the NX service. If enabled, the service # will be started automatically at every reboot. # # 1: Automatic. Enable automatic starting of the NX server. # # 0: Manual. Disable automatic starting of the NX server. # The server can be started manually. # #StartNXDaemon Automatic # # Enable or disable starting the NX service on Windows. If enabled, # the SSH server will be started automatically at every reboot. # # 1: Automatic. Enable automatic starting of the SSH server. # # 0: Manual. Disable automatic starting of the SSH server. # The server can be started manually. # #StartSSHDaemon Automatic # # Specify how clients will have to contact the node, by default by # the NX service. To allow for multiple methods, specify them in a # comma-separated list. Supported methods are: NX, SSH and HTTP. # ClientConnectionMethods NX,SSH # # Specify a list of comma-separated 'hostname:port' values for XDM # server. # #RoundRobinXdmList 127.0.0.1:177 # # Enable or disable the XDM round robin query: # # 1: Enabled. Let NX Server decide XDM host according to hostnames # that are defined in the RoundRobinXdmList key. # # 0: Disabled. # #EnableRoundRobinXdmQuery 1 # # Enable or disable the XDM indirect query: # # 1: Enabled. Let the user obtain a list of available XDM hosts. # # 0: Disabled. # #EnableIndirectXdmQuery 0 # # Enable or disable the XDM direct query: # # 1: Enabled. Let client specify XDM host. # # 0: Disabled. # #EnableDirectXdmQuery 0 # # Enable or disable the XDM broadcast query: # # 1: Enabled. Let client connect to the first responding XDM host. # # 0: Disabled. # #EnableBroadcastXdmQuery 0 # # Specify the algorithm to be used for selecting the node. Accepted # values are: # # round-robin: the server applies a plain round-robin algorithm to # choose the node or a weighted round-robin algorithm # if weight has been specified for each node. This is # the default. # # custom: the server uses the custom load-balancing algorithm # specified in the NodeSelectionScript key. # # load-average: the server chooses the node with the minimum load # average provided by the system. # # system-load: the server selects the node with the lowest system # load calculated according to the algorithm specified # in the nxreportsystemload.sh script set on the node. # #LoadBalancingAlgorithm round-robin # # Specify path and name to the script providing the load-balancing al- # gorithm. # #NodeSelectionScript "" # # Specify path and name of the command 'sessreg' for managing utmp and # wtmp entries for non-init clients. # #CommandSessreg /usr/bin/sessreg # # Specify the location and name of the SSH authorized keys file. # #SSHAuthorizedKeys authorized_keys2 # # Accept or refuse the client connection if SSHD does not export # the 'SSH_CONNECTION' and 'SSH_CLIENT' variables in the environment # passed to the NX Server. # # 1: Refuse. Check the remote IP and do not accept the connection if it # can't be determined. # # 0: Accept. Check the remote IP and accept the connection even if the # remote IP is not provided. # #SSHDCheckIP 0 # # Enable or disable support for automatic provision of guest accounts. # # 0: Disabled. Only user with a valid account can get access. # # 1: Enabled. The automatic generation of guest accounts on demand. # #EnableGuestCreateVirtualDesktop 0 # # Specify the base username to be used by NX Server to create guest # users accounts. The server will add a progressive number to the # name specified by GuestName, according to the range of values set # in the BaseGuestUserId and GuestUserIdLimit keys. # #GuestName guest # # Set the base User Identifier (UID) number for NX guest users. # #BaseGuestUserId 10 # # Set the maximum User Identifier (UID) number reserved for NX guest # users. # #GuestUserIdLimit 200 # # Set the Group Identifier (GID) for NX guest users. The specified # GID must already exist on the system. # #GuestUserGroup "" # # Set the maximum number of concurrent NX guest users. # #GuestUserLimit 10 # # Set the maximum number of NX sessions a NX guest user can run before # his/her account is terminated. # #GuestUserConnectionLimit 5 # # Set for how long NX Server has to retain NX guest users accounts. # # 0: NX guest users accounts are never removed. # # >0: Maintain NX guest users accounts for this amount # of seconds. # # The default value, 2592000 seconds, lets NX Server keep guest users # accounts for 30 days. # #GuestUserAccountExpiry 2592000 # # Set for how long NX Server has to keep alive a NX guest user's # session. When the time has expired, NX Server will kill the session. # # 0: NX guest user session is never terminated. # # >0: Keep NX guest user session live for this number # of seconds. # #GuestConnectionExpiry 0 # # Enable or disable possibility for NX guest users to disconnect their # sessions: # # 1: Enabled. NX Server lets NX guest users disconnect sessions. # # 0: Disabled. # #GuestUserAllowDisconnect 1 # # Set the home directory for NX guest users. Provide an empty value # between double quotes to let NX Server create the guest user's home # in the default directory set on the system. # #GuestUserHome /home # # Enable or disable removing the NX guest user from the system when the # account is expired: # # 1: Enabled. When the guest account is expired, NX Server will # delete the account from both the system and the NX guests DB # and will remove the home directory. # # 0: Disabled. When the guest account is expired, NX Server will # keep the guest account on the system but will forbid this user # to start new sessions on the server. # #EnableGuestWipeout 1 # # Allow the server to set disk quota for the NX guest accounts: # # 1: Enabled. When a new guest account is created on the system, # the server will set the disk quota for this user. # # 0: Disabled. No restrictions on the amount of disk space used # by each guest user are applied. # #EnableGuestQuota 0 # # Specify the username of the account to be used as a prototype for # propagating its disk quota settings to all the new guest accounts. # If the softlimit or the hardlimit on either the inode or the disk # block are set, they will override the settings applied to the user # prototype. # #GuestQuotaProtoname protoguest # # Specify the maximum amount of disk space available for each of the # guest users, checked as number of inodes. This limit can be exceeded # for the grace period. # #GuestQuotaInodeSoftlimit 0 # # Specify the absolute maximum amount of disk space available for # each of the guest users, checked as number of inodes. Once this # limit is reached, no further disk space can be used. # #GuestQuotaInodeHardlimit 0 # # Specify the maximum amount of disk space available for each of the # guest users, checked as number of disk blocks consumed. This limit # can be exceeded for the grace period. # #GuestQuotaBlockSoftlimit 0 # # Specify the absolute maximum amount of disk space available for each # of the guest users, checked as number of disk blocks consumed. Once # this limit is reached, no further disk space can be used. # #GuestQuotaBlockHardlimit 0 # # Specify the grace period, expressed in seconds, during which the # soft limit, set in the GuestQuotaInodeSoftlimit key may be # exceeded. # #GuestQuotaInodeGracePeriod 0 # # Specify the grace period, expressed in seconds, during which the # soft limit, set in the GuestQuotaBlockSoftlimit key may be # exceeded. # #GuestQuotaBlockGracePeriod 0 # # Specify a list of comma-separated filesystem names or devices to # which the disk quota restrictions will be applied. The default # value is 'all' which corresponds to applying the disk quota limits # to all the filesystems having disk quota enabled. # #GuestQuotaFilesystems all # # Set the User Identifier (UID) number for NX users. If an empty value # is specified, the NX Server will create the account with the default # value set on the system. # #UserId "" # # Set the Group Identifier (GID) for NX users. If an empty value is # specified, NX Server will create the account with the default # value set on the system. # #UserGroup "" # # Set the home directory for NX users. If an empty value is specified, # NX Server will create the user's home in the default directory # set on the system. # #UserHome "" # # Allow the given type of users to connect to a virtual desktop. # Set this key to 'all' to allow all kind of users, or to 'none' to # completely forbid connections to already running virtual desktops. # Otherwise give a comma-separated list of values to indicate which # type of users is allowed to connect, order is not relevant and # accepted values are: # # administrator: system and NoMachine administrators. # # trusted: NoMachine trusted users for connections to virtual # desktops. # # system: all unprivileged users who have a valid account to # login. # # owner: the owner of the virtual desktop. # # guest: Guest Desktop Sharing users who login anonymously # to cloud server and nodes without having a system # account and system guests with an account generated # on demand on Linux terminal server nodes. # #VirtualDesktopAccess administrator,trusted,owner,system # # Set the interaction level for the session connected to a virtual # desktop: # # 0: View-only. The session is connected to the desktop in # view-only mode, i.e. the user can't interact with the # virtual desktop. # # 1: Restricted. User connected to the virtual desktop can # interact with the desktop except for resize operations. # # 2: Interactive. User connected to the virtual desktop has # full interaction with the desktop. # #VirtualDesktopMode 2 # # When allowed to connect to a virtual desktop, specify which kind # of users don't need the authorization of the virtual desktop owner. # Set this key to 'all' to allow all kind of users except the guest # desktop sharing users who always require the owner's approval. # Set it to 'none' to require every time the owner's approval or provide # a comma-separated list of type of users, order is not relevant. # Accepted values are: # # administrator: system and NoMachine administrators. # # trusted: NoMachine trusted users for connections to physical # desktop. # # system: all unprivileged users who have a valid account to # login. # # owner: the owner of the remote desktop. # #VirtualDesktopAccessNoAcceptance administrator,trusted,owner # # Allow the given type of users to connect to the physical desktop. # Set this key to 'all' to allow all kind of users, or to 'none' to # completely forbid access to the physical desktop. Otherwise give # a comma-separated list of values to indicate which type of users # is allowed to connect, order is not relevant. Accepted values are: # # administrator: system and NoMachine administrators. # # trusted: NoMachine trusted users for connections to physical # desktop. # # system: all unprivileged users who have a valid account to # login. # # owner: the owner of the physical desktop. # # guest: Guest Desktop Sharing users who login anonymously # without having a system account and system guests # with an account generated on demand on the Linux # host. Guests are never allowed to connect to the # desktop of a cloud server. # #PhysicalDesktopAccess administrator,trusted,system,guest,owner # # Set the interaction level for the session connected to the physical # desktop: # # 0: View-only. The session is connected to the desktop in # view-only mode, i.e. the user can't interact with the # physical desktop. # # 1: Restricted. User connected to the physical desktop can # interact with the desktop except for resize operations. # # 2: Interactive. User connected to the physical desktop has # full interaction with the desktop. # #PhysicalDesktopMode 2 # # Enable, disable or restrict NX Server requesting authorization to # the owner of the physical desktop to allow a different user to # connect. # # administrator: system and NoMachine administrators. # # trusted: NoMachine trusted users for connections to physical # desktop. # # system: all unprivileged users who have a valid account to # login. # # owner: the owner of the remote desktop. # PhysicalDesktopAccessNoAcceptance administrator,trusted # # Enable or disable the desktop owner to access the remote physical # desktop if screen sharing is disabled. # # 1: Enabled. The desktop owner can always connect, also when screen # sharing is disabled. This is default. # # 0: Disabled. The desktop owner cannot connect when screen sharing # is disabled. # #ScreenSharingOwnerAccess 1 # # Allow users to access the system login screen when connecting to # the physical display. # # 1: Enabled. Users can connect to the system login screen and insert # their credentials to log-in to the physical desktop. This is the # default. # # 0: Disabled. Users are not allowed to connect to the system login # screen. Only system administrators, NoMachine administrators and # trusted users are still able to log-in. # LoginScreenAccess 1 # # Configure automatically NoMachine for allowing only connections # to the remote physical display upon desktop owner's authorization. # This overrides more permissive settings set in LoginScreenAccess, # ScreenSharingOwnerAccess and PhysicalDesktopAccessNoAcceptance. # # 1: Enabled. All connections must be explicitly accepted to be # allowed to proceed. Use this setting only if the computer is # running attended. # # 0: Disabled. Desktop owner's authorization is requested according # to values set in keys PhysicalDesktopAccessNoAcceptance and # ScreenSharingOwnerAccess. Access to login screen depends on # value set for LoginScreenAccess. # #EnableScreenSharingMode 0 # # Specify absolute path of the custom script to be executed before # the user logs in. The script can accept remote IP of the user's # machine as its input. # # E.g. UserScriptBeforeLogin /tmp/nxscript/script.sh # #UserScriptBeforeLogin "" # # Specify absolute path of the custom script to be executed after # the user logs in. The script can accept username and remote IP # of the user's machine as its input. # #UserScriptAfterLogin "" # # Specify absolute path of the custom script to be executed after # the user is logged out. The script can accept username and remote # IP of the user's machine as its input. # #UserScriptAfterLogout "" # # Specify absolute path of the custom script to be executed before # the session start-up. The script can accept session ID, username, # node host and node port as its input. # #UserScriptBeforeSessionStart "" # # Specify absolute path of the custom script to be executed after the # session start-up. The script can accept session ID, username, node # host and node port as its input. # #UserScriptAfterSessionStart "" # # Specify absolute path of the custom script to be executed before # the session is closed. The script can accept session ID, username, # node host and node port as its input. # #UserScriptBeforeSessionClose "" # # Specify absolute path of the custom script to be executed after the # session is closed. The script can accept session ID, username, node # host and node port as its input. # #UserScriptAfterSessionClose "" # # Specify absolute path of the custom script to be executed before # the session is reconnected. The script can accept session ID user- # name, node host and node port as its input. # #UserScriptBeforeSessionReconnect "" # # Specify absolute path of the custom script to be executed after the # session is reconnected. The script can accept session ID username # node host and node port as its input. # #UserScriptAfterSessionReconnect "" # # Specify absolute path of the custom script to be executed before # the session is disconnected. The script can accept session ID, user- # name, node host and node port as its input. # #UserScriptBeforeSessionDisconnect "" # # Specify absolute path of the custom script to be executed after # the session is disconnected. The script can accept session ID, user- # name, node host and node port as its input. # #UserScriptAfterSessionDisconnect "" # # Specify absolute path of the custom script to be executed before # session failure. The script can accept session ID username, node # host and node port as its input. # #UserScriptBeforeSessionFailure "" # # Specify absolute path of the custom script to be executed after # session failure. The script can accept session ID username, node # host and node port as its input. # #UserScriptAfterSessionFailure "" # # Specify absolute path of the custom script to be executed before # NX Server creates the new account. The script can accept username # as its input. # #UserScriptBeforeCreateUser "" # # Specify absolute path of the custom script to be executed after # NX Server has created the new account. The script can accept user- # name as its input. # #UserScriptAfterCreateUser "" # # Specify absolute path of the custom script to be executed before # NX Server removes the account. The script can accept username as # its input. # #UserScriptBeforeDeleteUser "" # # Specify absolute path of the custom script to be executed after # NX Server has removed the account. The script can accept username # as its input. # #UserScriptAfterDeleteUser "" # # Specify absolute path of the custom script to be executed before # NX Server disables the user. The script can accept username as its # input. # #UserScriptBeforeDisableUser "" # # Specify absolute path of the custom script to be executed after # NX Server has disabled the user. The script can accept username # as its input. # #UserScriptAfterDisableUser "" # # Specify absolute path of the custom script to be executed before # NX Server enables the user. The script can accept username as its # input. # #UserScriptBeforeEnableUser "" # # Specify absolute path of the custom script to be executed after # NX Server has enabled the user. The script can accept username # as its input. # #UserScriptAfterEnableUser "" # # Specify absolute path of the script to be executed before # the server daemon is started. # #ScriptBeforeServerDaemonStart "" # # Specify absolute path of the script to be executed after # the server daemon is started. # #ScriptAfterServerDaemonStart "" # # Specify absolute path of the script to be executed before # the server daemon is stopped. # #ScriptBeforeServerDaemonStop "" # # Specify absolute path of the script to be executed after # the server daemon is stopped. # #ScriptAfterServerDaemonStop "" # # Specify path and name to the script to be executed for displaying # a custom message to users in addition to the default error message. # To create your own script, use the nxcustomerrormessages template # stored in scripts/env under the NoMachine installation directory. # #CustomErrorMessages "" # # Allow the root user (or Administrator on a Windows machine) to # run NX sessions. # # 1: Enabled. Allow an NX user to run sessions as user with # administrative rights. # # 0: Disabled. NX Server forbids an NX user to log in as user # having administrative privileges. # #EnableAdministratorLogin 1 # # Specify path to the SSH client. # #SSHClient /usr/bin/ssh # # Enable or disable broadcasting the required information to let # other computers discover this host on the local network. # # 1: Enabled. Other computers on the local network can find # this host machine. # # 0: Disabled. This computer cannot be found on the local # network but it's still reachable by providing its IP # or hostname. # #EnableNetworkBroadcast 1 # # Specify a list of comma-separated session types available on this # server. # AvailableSessionTypes unix-remote,unix-console,unix-default,unix-application,physical-desktop,shadow,unix-xsession-default,unix-gnome,unix-xdm # # Specify how the node process is run. # # 1: Noshell. Execute script to run the node process directly. # # 0: Shellmode. Execute script to run the node process by # invoking the bash shell. # #RunNodeMode 0 # # Enable the server to automatically configure the firewall for all # the configured services. On platforms that don't support adding # the specific executables to a white list, the needed ports are # added at server startup and removed at server shutdown, or when, # at run-time, a new port is needed. The default value is 1. # # 1: Enabled. NoMachine opens the required ports in the firewall. # # 0: Disabled. Firewall must be configured manually. By default # the required ports are TCP ports 4000 for NX, 4443 for HTTPS and # UDP ports in the range 4011-4999 range. # #EnableFirewallConfiguration 1 # # Enable or disable logging to the system log file, e.g. syslog # on UNIX based systems and Events log on Windows platforms. # # 1: Enabled. The webplayer and webclient applications will log # to the system log file. # # 0: Disabled. This is the default value, server and webplayer # will log to the home of the session owner or to the path # specified in the CommonLogDirectory key, if enabled. # #EnableSyslogSupport 0 # # Set for how long the server has to keep alive virtual desktops in # status disconnected. When the time is expired, the server will # terminate virtual desktops if no user are connected there. # # 0: Virtual desktops in status disconnected are never terminated. # This is the default. # # >0: Keep Disconnected session alive for this number # of seconds. # #DisconnectedSessionExpiry 0 # # Enable or disable NoMachine server checking at start up the status # of the Windows Net Logon service. # # 1: Enabled. The server will delay its start up until Net Logon is # up and running. This is required when the NoMachine server host # is an ActiveDirectory client. If Net Logon fails to start, No- # Machine server will be not available on this host and the start # up procedure will report an error. # # 0: Disabled. NoMachine server will start without verifying if Net # Logon is up and running. This is the default setting. # #NetLogonDependency 0 # # Set for how long the server will wait for the authentication phase # to be completed on the system. By default timeout is set to 30 # seconds. Increase this value when the authentication process on # the system takes longer. This setting applies also to two-factor # authentication. # #AuthorizationTimeout 30 # # Enable or disable the automatic creation of an X11 display when no # X servers are running on this host (e.g. headless machine) to let # users connect to the desktop. This setting applies to NoMachine # servers not supporting virtual desktops and permits to have one # single display. # # 1: Enabled. NoMachine will create automatically the new display at # server startup. This setting has to be used in conjunction with # 'DisplayOwner' and 'DisplayGeometry'. # # 0: Disabled. NoMachine will prompt the user for creating the new # display. This is the default. # #CreateDisplay 0 # # When 'CreateDisplay' is enabled, specify the display owner and let # NoMachine create the new display without querying the user. If the # server supports only one concurrent connection, the connecting user # must be the display owner set in this key. # #DisplayOwner "" # # When 'CreateDisplay' is enabled, specify the resolution of the new # desktop in the WxH format. Default is 800x600. # #DisplayGeometry 800x600 # # Enable or disable support for Kerberos ticket-based authentication # for connections by NX protocol. # # 1: Enabled. Kerberos ticket-based authentication is supported when # users connect by the NX protocol. # # 0: Disabled. Kerberos ticket-based authentication is not supported # for connections by NX protocol. This is the default. # #EnableNXKerberosAuthentication 0 # # Set for how long the server will wait for the kerberos response # from kerberos kdc server. By default timeout is set to 10 seconds. # Increase this value when the authentication process on the system # takes longer. # #NXKerberosAuthenticationTimeout 10 # # Set the maximum size for the Kerberos authentication request, by # default 1048576 bytes. # #NXKerberosRequestLimit 1048576 # # Enable or disable support for Kerberos ticket forwarding to the # remote node when the user didn't authenticate with Kerberos, but # their Kerberos ticket is already available on the server system. # This key applies to a multi-node environment only and it's di- # sabled by default # # 1: Enabled. User's Kerberos ticket already available on the # NoMachine server system will be forwarded to the remote node # where the user's session is started. # # 0: Disabled. User's Kerberos ticket will not be forwarded to the # remote node where the user's session is started. # #EnableNXKerberosForwardingToRemote 0 # # Activate the system lock screen when the NoMachine user disconnects # from the physical display. # # 1: Enabled. When the user disconnects, the physical screen of this # host will be locked. # # 0: Disabled. When the user disconnects, the screen state will not # change. This is the default. # #EnableLockScreen 0 # # Enable or disable the automatic logout of the user from the system # upon disconnection of the NoMachine session. # # 1: Enabled. NoMachine will execute the forcelogout.sh script. The # automatic logout can be effective only if the command set in # script is appropriate for the system. # # 0: Disabled. When disconnecting the NoMachine session, the user is # not automatically logged out of the system. # #LogoutOnDisconnect 0 # # Delay the execution of the logout command when 'LogoutOnDisconnect' # is enabled. By default timeout is set to 0, i.e. the forceLogout.sh # script is executed immediately as soon as the user disconnects the # session. Specify a delay in seconds, for example 600 to execute the # logout after ten minutes. # #LogoutOnDisconnectTimeout 0 # # Enable or disable support for SSL client authentication in the NX # service. # # 1: Enabled. The NX service, nxd, uses the client side certificate # to validate the connecting client against a list of allowed # clients. Only clients owning a certificate valid for this NX # service can authenticate with this method. # # 0: Disabled. Authentication by using a client side certificate # is not possible. # # This option applies to connections by NX protocol only and it's # disabled by default. # #EnableNXClientAuthentication 0 # # Specify how clients will have to authenticate to the server, by # default all the available methods are supported. This corresponds # to value all. To specify a subset of methods use a comma-separated # list. # # Supported methods for connections by NX protocol are: # NX-password : Password authentication. # NX-private-key: Key-based authentication. # NX-kerberos : Kerberos ticket-based authentication. # # Supported method for connections by SSH protocol is: # SSH-system : All methods supported for the system login. # SSH authentication methods for the system login # have to be set on the system for example in the # PAM configuration. # # For example: # AcceptedAuthenticationMethods NX-private-key,SSH-system # # This key has to be used in conjunction with ClientConnectionMethod. # See also the EnableNXClientAuthentication key for enabling SSL # client authentication for connections by NX protocol. # #AcceptedAuthenticationMethods all # # Configure behavior of the NoMachine menu to be displayed inside the # session: hide the welcome panels shown at session startup, prevent # users from changing settings or use specific services. Default is # 'all', welcome panels are shown and the menu can be used without # restrictions. Set this key to 'none' for hiding both welcome panels # and the NoMachine menu (clicking on the page peel or pressing ctrl+ # alt+0 will not open it). Give a comma-separated list of values to # indicate which items should be made available to users. # # Available values for client and web sessions are: welcome,input, # display,display-mode,display-settings,connection. Client sessions # support also: devices,devices-disk,devices-printer,devices-usb, # devices-network,devices-smartcard,audio,audio-settings,mic,mic- # settings,recording. For web sessions instead it's possible to set # also: keyboard,clipboard. # #ClientMenuConfiguration all # # Enable or disable users to store their access credentials on their # devices when they connect via NoMachine client or in the browser's # cookie in case of web sessions. Accepted values are: # # player: Allow only users connected via NoMachine client to save # username and password in their connection file. # # webplayer: Allow only users connected via web to store username and # password in the browser's cookies, if enabled. # # both: Users connected via client or via web can always choose to # store their credentials. # # none: Do not permit users to save their username and password. # Users will be requested to insert their credentials at # each new connection via NoMachine client or web. # # #EnableClientCredentialsStoring both # # Enable or disable strict GSSAPI host credential check for Kerberos # authentication. When enabled, authentication is done against the # host service on the current hostname. If disabled, authentication # is done against any requested service key stored in the keytab file. # # 1: Enabled. Kerberos authentication is made strictly against hostname # host service. This is the default. # # 0: Disabled. Allow relaxed GSSAPI host credential check, and make # possible to authenticate against GSSAPI host service with a # different name than hostname. # #NXGSSAPIStrictAcceptorCheck 1 # # Enable or disable support for PAM account management when Kerberos # authentication is used in connections by NX protocol. # # 1: Enabled. Support for PAM account management is enabled. # # 0: Disabled. Support for PAM account management is disabled. # #NXKerberosUsePAM 1 # # Specify path to the GSSAPI library to be used for authentication. # #NXGssapiLibraryPath "" # # Specify path to the Kerberos library module to be used for user's # authentication. # #NXKerberosLibraryPath "" # # Enable or disable support for PAM account management when public key # authentication is used in connections by NX protocol. # # 1: Enabled. Support for PAM account management is enabled. # # 0: Disabled. Support for PAM account management is disabled. # #NXKeyBasedUsePAM 1 # # Enable or disable this server accepting direct connections to its # IP or hostname when it's federated in a multi-server environment. # # 1: Enabled. Users are allowed to connect to this NoMachine server. # # 0: Disabled. Users have to connect to the main server ruling the # multi-host environment in order to reach this server. # #EnableDirectConnections 1 # # Enable or disable forwarding system groups to the remote node. This # key applies to a multi-node environment only and it's disabled by # default. # # 1: Enabled. On the remote node, users will be part of a system # group configured on the main server host. # # 0: Disabled. System groups configured on the main server host # are not forwarded to the nodes. # #EnableSystemGroupsForwardingToRemote 0 # # Set the log level of NoMachine Web Player. Web Player logs all events # that are <= to the level specified below, according to the following # convention: # # KERN_ERR 3: Error condition. # KERN_INFO 6: Informational. # KERN_DEBUG 7: Debug-level messages. # # The suggested values are: # # 6: Default value. Only relevant events are logged. # # 7: Set the log level to debug. # #WebSessionLogLevel 6 # # Specify user name of NoMachine HTTP Server owner. # #ApacheUname nxhtd # # Specify group name of NoMachine HTTP Server owner. # #ApacheGname nxhtd # # Allow NoMachine HTTP Server to serve content of Web Player applica- # tion. # # 1: Enabled. Users can access the Web Player application. # # 0: Disabled. The Web Player application is not accessible. # #EnableWebPlayer 1 # # Specify the absolute path for the Web Player graphic interface and # for storing session images generated by the X11 agent. # #WebDirPath /usr/NX/share/htdocs/nxwebplayer # # Make Web Player request user credentials to connect to the server # or try to connect automatically as a guest user on the server: # # 1: Enabled. Web Player tries to log-in to server as a guest # without the need for user intervention. Server must support # the automatic generation of guest accounts and have this # functionality enabled. # # 0: Disabled. Web Player prompts the user asking for access # credentials to log-in to server. Users can provide either # their username and password or to try to log-in as a guest # if the server supports it. # #EnableWebGuest 0 # # Show the tutorial wizard for the menu panel at session startup. # # 1: Enabled. Display the tutorial screenshots. # # 0: Disabled. Do not show the tutorial. # #EnableWebMenuTutorial 1 # # Make Web Player change connection name: # # 1: Enabled. Allows to have displayed name from Section "Server" # directive. # # 0: Disabled. Allows to see hostname of the server displayed. # #EnableWebConnectionName 0 # # Allow NoMachine HTTP Server to serve content of Web Player applica- # tion only when a connection file stored on the server is provided # in the URL. # # 1: Enabled. Users can run sessions on the web only through the # default.nxs file or another connection file pre-configured # on the server. # # 0: Disabled. Users can configure their web sessions at runtime # or can use pre-configured connection files stored on the # server or on their device. This is the default. # #EnableWebPreconfiguration 0 # # Specify which method, 'classic' or 'webrtc', has to be used for # browser-server communication. Set 'classic,webrtc' (default) to use # WebRTC when the browser supports it or fall back to the classic web # media exchange protocol. # #AcceptedWebMethods classic,webrtc # # Specify for how many seconds the automatically generated password # must be valid. The default value is 60 seconds. # #OneTimePasswordValidityPeriod 60 # # Specify the GUI language. Available languages are: English (default) # French, German, Italian, Spanish, Polish, Portuguese and Russian. # Users will be still able to change the language in the GUI. # #WebSessionLanguage English # # Specify the GUI theme, sunshine (default) or moonlight. Users will # be still able to change GUI theme in the GUI.. # #WebSessionTheme sunshine # # Specify the wave theme, red (default), light gray or dark gray. # Users will be still able to change wave theme in the GUI. # #WebSessionWave red # # Enable or disable the debug tool when the server program is launched. # # 1: Enabled. The debug tool specified in the CommandDebug key will # be run to debug the server program. This can slow down the exe- # cution of the server. # # 0: Disabled. Debug tool is not run. # #EnableDebug 0 # # Specify absolute path of the command to launch a debug tool. # #CommandDebug "" # # Specify path and commands of the debug tool in a comma-separated # list, e.g. accepted command for Valgrind is '/usr/bin/valgrind.bin'. # #AcceptedDebuggerCommands /usr/bin/valgrind.bin # # Append arguments to the command used by the server to launch the # debug tool # # Multiple parameters can be specified by separating them with a blank # character. For security reasons, no shell interpretation is made. # #DebugOptions "" # # Enable or disable NoMachine clients trying to auto-reconnect when # the connection is lost. A comma-separated list of protocols can # be also provided. # # NX: The auto-reconnection will be available only for clients # connected by NX protocol. # # SSH: The auto-reconnection will be available only for clients # connected by SSH protocol. # # HTTP: The auto-reconnection will apply only to sessions connected # via web. # # none: The auto-reconnection is disabled on all kind of connections. # #EnableClientAutoreconnect NX,SSH,HTTP # # Force clients to start a new session at every connection. Server # will always send an empty list of available sessions, users will # be therefore not able to reconnect their Linux virtual desktops # and custom sessions or to connect to other users' desktops if any. # Specify 'all' to apply this setting to all users or provide a comma # separated list of usernames. Disable session persistence to force # the termination of virtual desktops and custom sessions. Set this # key to 'none' to allow the server to provide the ordinary list of # available sessions to the client. This is the default. # #ForceClientNewSession none # # Specify the base path to the authorized keys file for connections # by NX protocol. By default it's the user's home directory. If a # custom path is specified, the server will add the user's name to # the base path, e.g. /tmp/nxtest01 on Linux. This key has to be used # in conjunction with NXAuthorizedRelativePath. # #NXAuthorizedBasePath "" # # Specify the relative path to the authorized keys file and the file # name, by default authorized.crt. The base path to this file is # defined in NXAuthorizedBasePath. # #NXAuthorizedRelativePath .nx/config/authorized.crt # # Enable, disable or restrict NX Server requesting authorization to # connecting users to allow the automatic recording of the session. # # 0: Disabled. The user is informed that his/her session will be # recorded. If only a percentage of sessions is recorded, # the user is notified about that possibility. # # 1: Enabled. The user can accept or refuse to allow NoMachine # to record his/her session. # # 2: Restricted. The user can accept or refuse to allow NoMachine # to record his/her session but in this last case the session # will be terminated or disconnected in case of a virtual desktop. # #AutomaticRecordingAuthorization 1 # # In a multi-node environment exclude automatically a node from the # list of available nodes when the number of failed sessions on that # host exceed the limit. Default is 0, never exclude the node. # #FailedSessionLimit 0 # # Set the minimum time interval to be elapsed for including a failed # session in the counter for the failed session limit. Default is 60 # seconds. # #FailedSessionMinimumLifeTime 60 # # Configure access to the initial page displayed when connecting by # the web. Accepted values are: # # unrestricted: Users access the initial page without logging-in. # # systemlogin: Users need to provide their system credentials. # # networklogin: Users need to provide their credentials for NoMachine # Network login. # #WebAccessType unrestricted # # Specify the maximum number of connections that the NX service can # accept. Further connections will be denied. # #NXdConnectionsLimit "" # # Specify the interval of time in seconds during which the NX service # can accept connections up to the NXdConnectionsIntervalLimit. # #NXdConnectionsInterval "" # # Specify the maximum number of connections that the NX service can # accept during the interval of time set in NXdConnectionsInterval. # #NXdConnectionsIntervalLimit "" # # Specify the referrers allowed to access the web player in a comma # separated list. If the referrer is not in the list, redirects the # user to the URL set in the WebRedirect key. # WebReferrer "" # # Specify the URL for redirecting users when their referrer is not # allowed in the WebRefferer key. # WebRedirect "" # # Specify the network interface where the NX service will be bound. # Populate the field with an IP address or a domain name. # #NXdListenAddress "" # # Enable or disable support for OKTA primary password authentication # for connections by NX protocol. # # 1: Enabled. OKTA password authentication is supported. # # 0: Disabled. OKTA authentication is not supported. # #EnableNXOktaAuthentication 0 # # When EnableNXOktaAuthentication is enabled, specify if a successful # Okta authentication is required or not. If not, authentication # relies on system password authentication regardless of result of # Okta authentication, this is the default. # # 1: Enabled. Successful OKTA authentication is required. # # 0: Disabled. Successful OKTA authentication is not required. # #NXOktaAuthenticationRequired 0 # # When EnableNXOktaAuthentication is enabled, specify the Okta domain # (e.g. example-1234567.okta.com) # #OktaDomain "" # # When EnableNXOktaAuthentication is enabled on Linux, specify the # path to the directory containing CA certificates for Okta server # verification. If not set, NoMachine will try to use the standard # path '/etc/ssl/certs'. If it doesn't exist, it will try to use # '/etc/pki/tls/certs'. # #OktaCAPath "" # # When EnableNXOktaAuthentication is enabled on Linux, specify the # file containing one or more CA certificates to be used for Okta # server verification. If not set, NoMachine will try to use the # standard file '/etc/pki/tls/cert.pem'. # #OktaCAInfo "" # # When EnableNXOktaAuthentication is enabled, enable or disable the # automatic creation of a local system account based on credentials # used during Okta authentication. Users need to have a local account # or the Okta authentication will fail. # # 1: Enabled. NoMachine will create automatically a new local account # if it doesn't exist already, with the same name and password as # the one used during Okta authentication. # # 0: Disabled. NoMachine will not create a local account for the # OKTA user. A local account must already exist for the connecting # user. # #CreateLocalOktaAccount 0 # # Set the interaction level for the session connected to the physical # desktop for guest users only: # # 0: View-only. The session is connected to the desktop in view-only # mode, i.e. the guest can't interact with the physical desktop. # # 1: Restricted. Guest users connected to the physical desktop can # interact with the desktop except for resize operations. # # 2: Interactive. Guests connected to the physical desktop have full # interaction with the desktop. # #PhysicalDesktopGuestMode 2 # # Set the interaction level for the session connected to a virtual # desktop for guest users only: # # 0: View-only. The session is connected to the desktop in view-only # mode, i.e. the guest can't interact with the virtual desktop. # # 1: Restricted. Guest users connected to the virtual desktop can # interact with the desktop except for resize operations. # # 2: Interactive. Guests connected to the virtual desktop have full # interaction possibilities with the desktop. # #VirtualDesktopGuestMode 2 # # Allow the given type of users to connect to the physical desktop # of any of the available nodes. Set this key to 'all' to allow all # kind of users, or to 'none' to completely forbid access to the # physical desktop. Otherwise give a comma-separated list of values # to indicate which type of users is allowed to connect, order is not # relevant and accepted values are: # # administrator: system and NoMachine administrators. # # trusted: NoMachine trusted users for connections to physical # desktop. # # system: all unprivileged users who have a valid account to # login. # # owner: the owner of the physical desktop. # # guest: Guest Desktop Sharing users who login anonymously # to cloud server and nodes without having a system # account and system guests with an account generated # on demand on Linux terminal server nodes. # # visitor: users who login with a system account to the cloud # server and switch to guest on the nodes (their user- # name will remain visible on the node). # #PhysicalDesktopAccessNodes administrator,trusted,owner,system # # Allow the given type of users to connect to a virtual desktop on # any of the remote nodes. Set this key to 'all' to allow all kind # of users, or to 'none' to completely forbid connections to already # running virtual desktops. Otherwise give a comma-separated list of # values to indicate which type of users is allowed to connect, order # is not relevant and accepted values are: # # administrator: system and NoMachine administrators. # # trusted: NoMachine trusted users for connections to virtual # desktops. # # system: all unprivileged users who have a valid account to # login. # # owner: the owner of the virtual desktop. # # guest: Guest Desktop Sharing users who login anonymously # to cloud server and nodes without having a system # account and system guests with an account generated # on demand on Linux terminal server nodes. # # visitor: users who login with a system account to the cloud # server and switch to guest on the nodes (their user- # name will remain visible on the node). # #VirtualDesktopAccessNodes administrator,trusted,owner,system # # Specify for how long the server has to wait for a reply from the # remote node before considering it unreachable. Default value is # 180 seconds. # #NodePingTimeout 180 # # Specify the frequency with which the server has to send the ping # message to verify if the remote node is reachable. By default ping # is sent every 10 seconds. # #NodePingInterval 10 # # Specify for how long a client should try to connect directly to the # node before switching to tunnel the connection. This requires that # the node has the tunnel method set for the client connections. # Default timeout value is 5 seconds. # #ClientNodeTunnelConnectionTimeout 5 # # Specify for how long a client should try to connect directly to the # node before considering that the connection cannot be established. # Default value is 30 seconds. # #ClientNodeDirectConnectionTimeout 30 # # Specify for how long the server should try to connect to the remote # node before considering that the tunnel cannot be established. # Default value is 10 seconds. # #ServerNodeConnectionTimeout 10 # # Specify for how long the process monitoring the remote node should # wait before considering that the connection with the node is lost. # Default value is 30 seconds. # #ServerNodeControlConnectionTimeout 30 # # This is the name nodes will see in the notifications coming from # this cloud server. # #ServerName "" # # The execution of custom scripts for the NoMachine cluster requires # to add the same script on both peers (master and slave servers of # the cluster) # # Specify absolute path of the script to be executed after # the cluster synchronization. # #ScriptAfterClusterSync "" # # Specify absolute path of the script to create the shared IP of the # cluster on the active peer when the cluster is started, i.e. after # that the cluster is configured or once a failover occurred. # #ScriptClusterSetSharedIP "" # # Specify absolute path of the script to clean up the cluster shared # IP after events like 'clusterdel', 'shutdown' and 'restart'. The # shared IP will be created again when configuring the cluster or # when starting it after a shutdown. # #ScriptClusterClearSharedIP "" # # The Section directive allows to define settings for the server # where the Web Player will connect. Edit lines below to define a # server different from localhost. Protocol is by default 'NX' on # port '4000'. To use SSH service, specify 'system' and port, by # default '22' on Linux and Mac and '4022' on Windows. Password- # based authentication is supported for both protocols, key-based # authentication is at the moment available only for NX protocol. # Set respectively 'password' (default) or 'private-key' to enable # any of them. # Section "Server" Name "Connection to localhost" Host 127.0.0.1 Protocol NX Port 4000 Authentication password EndSection # # When WebRTC is enabled, set parameters for STUN/TURN utilities to # permit NAT traversal for peer to peer direct video, audio and data # streaming. Replace 'hostname' and 'portnumber' with the ip or host # name of the network server; replace 'username' and 'password' with # username and password to be used for authenticating to such server. # If a TURN server has to be contacted, duplicate section below, set # it to Section "TURN" and provide the appropriate values for Host, # Port, User and Password parameters. Define multiple sections for # different STUN or TURN servers to provide an alternative server # in case the first of the list is not reachable. # # Section "STUN" # # Host hostname # Port portnumber # User username # Password password # # EndSection