10.1.6 Advanced (More) Page
Most users do not need to use the settings on this page.
For each service in the ATRLS:
•
“Idle Timeout” is the number of seconds a session is allowed to be idle before being
automatically disconnected. To disable the timeout function, set this field to 0 (zero).
•
“Disabling TCP KeepAlives” By default, Telnet and other services normally enable a
TCP option that polls the remote host occasionally, to make sure that the connection is
still available. Normally, this makes possible the cleanup of broken sessions that
otherwise would not be detected. For most users this is very desirable. However, in
VERY, VERY busy networks, sometimes this can lead to otherwise good connections
being prematurely terminated (normally will happen only in very long running
sessions). If you do have such a situation, use this option to disable TCP KeepAlives
for all sessions.
•
The “Common Winstations” group allows you to increase the number of possible
simultaneous connections.
In Windows security for “GUI objects” (those in User32.DLL and GDI32.DLL) is
encapsulated in a securable object called a Window Station. By default, the ATRLS
causes the creation of a new Window Station for every connection, giving each logon
session its own set of securable GUI objects. While secure, there is a drawback. The
16
number of available Window Stations is limited. Unfortunately, the actual number of
Window Stations available varies from release to release of the operating system
(including service packs), so we cannot tell you how many connections you can
securely have. Generally speaking, if you need less than 10 simultaneous connections
you do not want to ever use any of the options in this group.
If you need more simultaneous connections, you can use the settings below, but there
is a security caveat. If your telnet users run programs that access the GUI subsystem
[for example the clipboard or any window other than a command prompt (console)
window], then these programs will open on a Window Station/Desktop combination
that is completely open to manipulation by ALL users. Microsoft uses this approach in
their Unix Services for Windows product, so presumably it is not extremely unsafe.
To enable the use of common Window Stations set non-zero values in the “Common
WinStations” and “Sessions Per WinStation” fields. Barring Windows-imposed
resource limits, the total number of possible simultaneous logon sessions will be: the
two numbers multiplied together (i.e. “Common WinStations” * “Sessions Per
WinStation”).
Using values of “CommonWinStations”:2, “Sessions Per WinStation”:50, we have
been able to get 100 simultaneous connections under Windows. Please note that other
installed software may also use the underlying resources in Windows, so your results
may vary.
If you need even more simultaneous connections, you need to carefully consider one
additional step as Windows tends to run out of other resources. A detailed
explanation is beyond the scope of this manual. For more information, please see the
following Microsoft Technical Notes:
Q142676, Q126962, Q169321, Q184802.
For example, by changing
SharedSection=1024,3072,512 to SharedSection=1024,3072,1024
(“Common WinStations”:4, “Sessions Per WinStation”:50) we were able to get 200
simultaneous connections.
To disable the use of common Window Stations, set “Common WinStations” to 0
(zero).
10.2 Configuring the ATRLS from the Command Line
As an complement to configuration via a Control Panel, the ATRLS come with two
programs that allow you to configure the service from the command line:
AUSERADM.EXE and ACONFIG.EXE. The AUSERADM.EXE program allows the
addition, deletion, editing, and listing of user accounts for the ATRLS. The
ACONFIG.EXE program configures the remaining parameters that can also be
configured from the ATRLS Control Panel.
Both programs have a “dump” command that you can use to automatically generate
“.CMD” that will allow you to easily duplicate configurations on multiple machines. This
feature can be a big time saver. Example:
auseradm dump >uconfig.cmd
17
Creates a batch command file called uconfig.cmd, containing a series of
AUSERADM.EXE command that when executed will duplicate the existing set of users.
To get usage information for either program, execute it with the “help” command (or /?)
as in:
auseradm help
aconfig /?
10.3 Advanced Configuration
10.3.1 Automatic Logon.
It is possible to cause the ATRLS to use one of two forms of automatic logon
configuration. We do not recommend the use of these features for most users because:
1. A detailed knowledge of Windows security is necessary to use the feature securely. In
particular, if you do not understand well the relationship between Windows Local
Groups, Global Groups and User Accounts, you should NOT use this feature. If you
do not understand well the difference between a user name on the local machine and a
user name in the domain, you should NOT use this feature.
2. Users allowed to logon using this feature are not able to use the Rshd service. Nor are
they allowed to Rlogin without a password.
3. It is not possible to support user accounts with the same name, even if they are in
different domains. The incoming protocols only support short names… it is not
possible to properly support fully qualified Windows user names. If you add users
with the same name (directly or indirectly) to the same local group only one will be
able to logon. (The choice of which user will appear random.)
Due to the complexity of these features, only limited technical support is available.
In particular, we will not help users that do not have the needed understanding of
Windows security, gain this understanding. (It is a complex subject, far too complex
to explain during the course of a technical support e-mail exchange.)
The configuration parameters for these features CANNOT be set from the ATRLS
Control Panel.
If the issues above do not present a problem for you, chose ONE of the following:
10.3.1.1
Allowing any user account to logon without further configuration.
To enable this feature, issue the following command:
aconfig AllowAnyAccountToLogon 1
You should also set a home directory for these users as follows:
aconfig AutomaticLogonHomeDirectory “PathOfHomeDirectory”
Where PathOfHomeDirectory is the pathname of the home directory that will be given to
all users when they logon via the ATRLS.
18