Leostream Connection Broker – Frequently Asked Questions

Getting Started
Installation, Upgrades and Licensing
Common Setup Questions

General Setup
Network Setup
Authentication Server Setup
Adding Centers
Desktop Management
Clients and Locations
Protocol, Power Control, and Release Plan Setup
End-User Experience
Policy Setup
Policy Assignments
Scalability

Troubleshooting
Networking
General
Authentication Servers and Assignments
Working with Centers
Working with Desktops
Working with Clients


Getting Started

Why do I need a Connection Broker?
The Leostream Connection Broker provides the tools you need to deliver and manage any end-user resources hosted in the data center efficiently and securely, including virtual machines, blades, applications, printers, and more. The Leostream Connection Broker allows you to use the best technology to satisfy your users' needs, including mixing and matching different virtualization vendors and different display protocols, while integrating with your existing infrastructure.

back to top

How do I obtain a trial license?
You can obtain a 30-day trial license, as follows:

  • Go to www.leostream.com.
  • Click on the Free Trial link at the top right-hand side of the page.
  • Enter your contact information and click Submit.

Leostream will send an email to the email address entered in the Free Trial form, with instructions on how to download the Connection Broker. After you install your Connection Broker, contact Leostream sales at +1 781-890-2019 x710 to obtain your trial license.

back to top

Where do I download the Connection Broker?
Click here to download the Leostream Connection Broker virtual appliance. See the Leostream Installation Guide for instructions on installing the virtual appliance into your specific virtualization layer. After you complete the installation, go to the > System > Maintenance page and perform an update to ensure that you have the latest Connection Broker release.

back to top

What ports does the Connection Broker use for communications?
The Connection Broker uses different ports to talk to different systems. See "Connections to External Systems" in the Connection Broker Virtual Appliance Guide for a diagram of all ports used by the Connection Broker.   

back to top

How do I configure my Connection Broker?
How you configure your Connection Broker – defining your authentication server, creating desktop and/or application centers, building pools, plans, and policies, and assigning policies to users – depends on your environment. See the Tutorials page for step-by-step setup guides that are most appropriate for your deployment.


back to top


Installation, Upgrades, and Licensing

How do I install my Connection Broker?
The Connection Broker is a virtual appliance that you import into your virtualization layer. The
Installation Guide describes the installation steps. The installation steps vary depending on which virtualization layer you use.

back to top

Why do I need the Leostream Agent?
The Leostream Agent communicates with the Connection Broker to provide information about when a user logs out of, disconnects from, or locks their remote session. In addition, the agent implements the Leostream end-user experience enhancements, including managing USB device passthrough, network printer redirection, and multi-monitor support.

back to top

How do I perform an unattended installation for Leostream Connect or the Leostream Agent?
You can store the settings for a particular Leostream Connect or Leostream Agent installation and use those settings to automate future installations.

For the Windows versions of the client and agent, run the installer from the command line using the following example syntax:

     LeostreamConnectSetupXXX.exe /SAVEINF="filename"

Then use the following command to automate future installations:

     LeostreamConnectSetupXXX.exe /LOADINF="filename"

If you want a silent unattended installation, add the /SILENT or /VERYSILENT option to the file saved by the /SAVEINF command. A full list of command line installations parameters is documented in Appendix A of the Leostream Installation Guide.

For the Java version of the client and the agent, run the graphical installer and select the Generate an automatic installation script option when the installation completes to generate an XML-file that you can use to install additional clients and agents. See the Leostream Installation Guide for complete instructions.

back to top

How do I upgrade the Leostream Agent on my desktops?
The Connection Broker can push out Leostream Agent upgrades to all of your remote desktops. To perform the upgrade, the Leostream Agent must be able to verify that the source of the upgrade request is your Connection Broker. Therefore, the Leostream Agent must have a working connection to the Connection Broker before attempting the upgrade, either through a DNS SRV record or IP address definition. You can double check your connection on the Agent using the Test button on the Options tab on the Leostream Agent Control Panel dialog.

Note: If you install the USB component on the Leostream Agent, you may encounter a Windows security pop-up regarding drivers that halts the installation. Therefore, desktops with USB support may require manual intervention to complete the Leostream Agent installation.

To update the Agents:

  • Go to the > Resources > Desktops list.  Desktops with an old Leostream Agent have an Upgrade choice in the Actions column.
  • Choose Upgrade. The Connection Broker pushes the Agent out to the desktop, where it is installed and restarted remotely. Note: the Agent is restarted, not the desktop.
  • To upgrade several desktops:
    • Select the checkboxes for these desktops in the Bulk actions column. If the column of bulk actions checkboxes is not shown, click the Customize link at the bottom of the page and ensure that the Bulk actions item is in the Selected Items list.
    • Choose Edit from the dropdown menu at the top of the Bulk actions column.
    • Check Upgrade Agent to latest version.
    • Click Save. The Connection Broker upgrades the Leostream Agent on all of the selected desktops.

back to top

Why can't I upgrade my Connection Broker?
Your support license expiration date indicates the last day you are eligible for Connection Broker upgrades and online support. Once the expiration date has passed, the Check for updates option disables. To view your support expiration date, go to the > System > Maintenance page or look at the bottom of any page in the Connection Broker Web interface.

back to top


Common Setup Questions

General Setup

Why are some features missing in my Connection Broker?
Not all features are turned on, by default. If the functionality you are looking for (such as provisioning new virtual machines or controlling USB device redirection) seems to be missing, go to the > System > Settings page to enable these features. See "Enabling Global Connection Broker Features" in Chapter 3 of the Connection Broker Administrator's Guide for a complete list of features and instructions.

back to top

What are the general steps I need to do to configure my Connection Broker?
Configuring the individual elements in your Connection Broker is highly specific to your organization needs. That said, you typically need to configure the following elements, in this order.

  1. Enable features on the > System > Settings page
  2. Add authentication servers on the > Users > Authentication Servers page
  3. Add centers on the > Resources > Centers page
  4. Define pools on the > Resources > Pools page
  5. Build Protocol, Power Control, and Release plans on the associated > Plans pages
  6. Combine pools and plans into policies on the > Users > Policies page
  7. Assign policies to users on the >Users > Assignments page
  8. Test user logins on the > Users > Users page

See the Tutorials on page for step-by-step guidelines.

After you have a basic understanding of the Connection Broker, investigate how Roles, Registry Plans, Printer Plans, and other advanced functionality can improve the usability of your environment. s

back to top

How do I transition from HP SAM to Leostream?
Moving your HP SAM environment to Leostream requires you to change your understanding of certain concepts and terminology. See the HP SAM Transition Guide for a description of how to map HP SAM concepts to Leostream, and for guidelines on how to build your HP SAM environment in Leostream.

back to top


Network Setup

Why do I need to set the VIP?
The Connection Broker VIP address serves the same purpose as a DNS SRV record, and can be used in cases where you do not have or cannot create a DNS SRV record. If you have a single Connection Broker, in most cases, you can leave this field empty. However, there are a number of cases where you do need to enter an appropriate VIP to ensure that your Leostream Agents properly function. See "Setting Network Configuration and Connection Broker VIP" in Chapter 2 of the Connection Broker Administrator's Guide for information on when you need to set up the VIP, and how to do so.

back to top

How do I setup a DNS record for my Connection Broker?
Service Location records enable Leostream Connect and the Leostream Agent to automatically discover the address of the Connection Broker by querying the DNS server. See the Leostream DNS Setup Guide for information on setting up DNS.

back to top


Authentication Server Setup

How do I add my authentication server to my Leostream Connection Broker?
Go to the > Users > Authentication Servers page to add Microsoft Active Directory, Novell eDirectory, OpenLDAP, or NIS authentication servers to your Connection Broker. See "Chapter 13: Authenticating Users" in the Connection Broker Administrator's Guide

for complete instructions.

back to top

What level of permissions does the user associated with my authentication server records need?
The user you enter into the Add Authentication Server form needs to have read access to the user records in your authentication server. If you will use Active Directory to inventory desktops in your Connection Broker, the user must have permission to read Computer records, as well.

back to top

When should I uncheck the "Query for group information" option?
The Query for group information option indicates that the Connection Broker should retrieve the available Active Directory groups when you access the > Users > Assignments page. If you have a large number of groups, this query can take a significant amount of time. Therefore, in this case, you should uncheck this option before saving your Add Authentication Server form.

back to top

How do I configure Leostream in a multi-domain environment?
If you have multiple domains, create different authentication server records in the Connection Broker for each domain. In multi-domain environments, the Connection Broker queries the authentication servers according to their Position variable. The domains do not need to be trusted. See "Chapter 13: Authenticating Users" in the Connection Broker Administrator's Guide

for instructions on how to add domains to your Connection Broker.

back to top

What if I have an authentication server other than Active Directory?
The Connection Broker can authenticate users against Novell eDirectory, NIS, and any authentication server that uses the standard OpenLDAP format. Use the Type drop-down menu to correctly set default values for the different types of supported authentication systems.

See "Chapter 13: Authenticating Users" in the Connection Broker Administrator's Guidefor complete instructions on adding the different types of authentication servers to your Connection Broker

back to top


Adding Centers

Why do I need to add Centers?
The Connection Broker communications with Centers to inventory and manage all the resources you want to deliver to your users. If you do not create any centers, you cannot offer desktops, applications, or printers to your users. See "Chapter 5: Understanding Connection Broker Centers" in the Connection Broker Administrator's Guide for information on what types of Centers you can create and complete instructions.

back to top

What type of Center do I need if I'm transitioning from HP SAM?
The Connection Broker inventories physical desktops and blades using an Active Directory Center. Before you create an AD center, you must define an Authentication Server record for your Active Directory Server. See "Active Directory Centers" in Chapter 5 of the Connection Broker Administrator's Guide for instructions on adding AD centers.

back to top

What privileges do I need to interact with VMware vCenter Server?
The Leostream Connection Broker requires specific VMware vCenter Server (vCenter) privileges in order to perform various actions, such as starting and stopping VMs or provisioning virtual machines from templates. If your Connection Broker is unable to perform any of these actions, you may have created your center with an account that does not have all the required privileges.

Click here to download a description of what vCenter Server privileges are required to perform the various Connection Broker actions. Then, ensure that the account provided for your vCenter Server center in the > Resources > Centers page has the necessary privileges.

back to top

What if I have desktops that aren't part of any of the supported Centers?
If you have a physical desktop that is not in Active Directory or a virtual machine that is not hosted by a natively supported hypervisor, you can install the Leostream Agent onto the desktop or VM to inventory and manage the desktop. You can also manually add the desktop to the Connection Broker. In these cases, the desktop is a member of the Uncategorized Desktops Center. See "Adding Uncategorized Desktops" in Chapter 6 of the Connection Broker Administrator's Guide for more information.

back to top


Desktop Management

How do I allow multiple users to log in simultaneously on a Linux server?
Linux servers, such as those running the NoMachine NX Enterprise Server software, can host multiple user sessions at a time. Typically, the Connection Broker assigns only one user to a particular desktop or session, at a time. Therefore, to allow multiple users to log in simultaneously to a Linux server, you must define multiple sessions in the Connection Broker. You define these sessions by creating a Remote Desktop Services center for the Linux server.

For a complete example, click here.

back to top

What type of power control does the Connection Broker provide for my desktops?
The Connection Broker can perform different types of power operations based on what Center the desktop is registered from. You can manually perform power control operations on a particular desktop using the Control action on the > Resources > Desktops page. You can also use Power Control Plans to schedule power operations for desktops assigned to users. See "Power Control for Desktops" in Chapter 6 of the Connection Broker Administrator's Guide for more information on what power control options are available for different types of desktops.

back to top

How do I setup single sign-on when using a Novell client?
Leostream Agent 4.4 automatically configures the remote desktop's registry keys to support single sign-on when logging in with Novell client 4.91 SP4.

If you are using version 4.91 SP4 of the Novell client, and do not want to install the Leostream Agent on your remote Windows desktops, you must create the following registry keys in order to perform single sign-on, as described in the Novell documentation.

In HKEY_LOCAL_MACHINE\SOFTWARE\Novell\Login

  • TSClientAutoAdminLogon.
    • Value Type=REG_SZ
    • Data=1
  • DefaultLoginProfile
    • Value Type=REG_SZ
    • Data=Default

If you are experiencing problems with single sign-on when using version 4.91 SP4 of the Novell client, see the related Novell forum for more information.

When configuring the Microsoft RDP configuration file for single sign-on with Leostream Connect, it is important to use the Novell Fully Qualified Domain Name, which has the format:

.cn=Fred.ou=Users.o=Company and is contained within the {NOVELL_FQDN} dynamic tag.

For more information, refer to the Novell application note on eDirectory naming conventions.

If you can connect but cannot get full access to resources, read the Novell support documents 10087621, and 10052847.

back to top


Clients and Locations

When do I need to set up Locations?
Leostream Locations allow you to provide the user with different Roles and Policies based on the physical location of the user's client device. In addition, Locations allow you to tailor the user's experience by attaching different printers, setting registry keys, changing display plans, using different protocols, etc., based on where the user is located. For a complete description of how to set up and user locations, see "Chapter 12: Configuring User Experience by Client Location" in the Connection Broker Administrator's Guide.

back to top

How do I access my desktops from an Apple iPad or iPhone?
Leostream suggests that users log into their Connection Broker using the Safari Web browser provided on their iOS device. Configure the user's Protocol Plan to launch an RDP connection and ensure that the user has an RDP app that can launch connections based on an RDP-file installed on their iOS device.

back to top

How do I change the Connection Broker address in Leostream Connect when the client is installed on Windows 7?
After installing Leostream Connect, you must run Leostream Connect as a user with administrator rights if you need to modify the Connection Broker address. Windows 7 requires elevated privileges to run Leostream Connect as an administrator.

To run Leostream Connect with the required privileges on Windows 7:

  1. Right-click on the Leostream Connect icon on the desktop

  2. Select Run as Administrator

  3. If necessary, enter administrator credentials

After Leostream Connect launches, you can access the Options dialog via the System Tray menu and change the Connection Broker address.

back to top

How do I install Leostream Connect on an HP gt7725 Thin Client?
When using an HP gt7725 thin client, you can login to your Leostream Connection Broker using the HP SAM client that is natively installed on the gt7725. If, instead, you want to use the Leostream Connect client, you must manually install the Java version of Leostream Connect and a Java run-time environment on the thin client.

Click here for complete instructions for installing Leostream Connect on your HP gt7725 thin client.

back to top

How can I repurpose my PCs and laptops as thin clients?
You can use the Leostream Connect client to turn existing PCs and laptops into VDI clients. By installing Leostream Connect in shell mode and with client-side single sign-on, you can hide the underlying operating system and any applications on the client device.

If you install Leostream Connect in shell mode and with client-side single sign-on, end users experience the following behavior

  1. The user boots up their desktop/laptop and see the normal Windows login prompt.
  2. The user enters their credentials into the Windows login prompt.
  3. Because Leostream Connect is in shell mode and using client-side single sign-on, after the user logs in, Leostream Connect automatically starts up (but does not present a login dialog), grabs the user’s credentials, and passes those on to the Connection Broker.
  4. If the user’s policy offers them a single desktop, Leostream Connect automatically launches the remote session. If the user’s policy offers them multiple resources, Leostream Connect offers the list of resources.
  5. When a remote session is launched, Leostream Connect automatically signs the user into the remote session. From and end user’s perspective, it’s as if their original Windows login, logged them directly into the remote session.
  6. When the user logs out of the remote session, they are logged out of Leostream Connect and taken back to the original Windows login screen.

back to top


Protocol, Power Control, and Release Plan Setup

How do I setup a Protocol Plan to connect to a Linux desktop?
You can connect to a Linux desktop from either a Windows or Linux client.  If connecting from a Linux client, install the Java version of Leostream Connect on the client device.

To define a protocol plan to use when connecting to Linux desktops:

  • Go to the > Plans > Protocol page.
  • Select Edit for the protocol plan.
  • In the Leostream Connect and Thin Clients Writing to the Leostream API section, select the appropriate number from the Priority drop-down menus for each of the protocols that can be used to connect to a Linux desktop.
  • Enter appropriate information in the Command line parameters and Configuration file fields.
  • Set the Priority drop-down menu for all other protocols, such as RDP, to Do not use
Note: If you are connecting to a Windows machines from a Linux client, ensure that you set the Priority for rdesktop to 1, and the Priority for RDP to Do not use.

back to top

How do I launch different remote viewers based on the Web browser used?
If you have end users with different types of Web browsers, you may not want to use the same remote viewer for each user. For example, if the end user logs in via Microsoft Internet Explorer, you may want to launch an ActiveX RDP session; if they log in via Mozilla Firefox, you must launch a regular RDP session.

Use Connection Broker locations to support this scenario. Click here to download a document that describes how to configure your Connection Broker to use locations to over-ride the remote viewer selected by the protocol plan in the user's policy.

back to top

How do I set up my Connection Broker to support NoMachine NX session shadowing?
You can allow two users to collaborate using the same NoMachine NX session, using the native capabilities provided by NoMachine. To do so:

  1. Provide the user with a Role that allows them to shadow another user's session and invite other users to shadow their session
  2. Configure a Policy that enables shadowing for the appropriate pool of desktops

For complete instructions, see "Session Shadowing and Collaboration" in the Leostream Choosing and Using Display Protocols guide.

back to top

How do I set up my Protocol Plan to support different HP RGS features?
Leostream connects users to their desktops using a native RGS Receiver to RGS Sender connection. Use the Configuration file edit field in the RGS section of the protocol plan to configure what features are enabled during that connection. If you leave this field empty, do not specify a particular RGreceiver parameter, or do not turn on the IsMutable field for a particular RGreceiver parameter, the connection defaults to the value set in the RGS Receiver GUI.

For example, the following configuration file turns off the border and enables monitor resolution and display layout mapping. All other features, such as hot key mappings, are set by the user's RGS Receiver GUI.

Rgreceiver.IsBordersEnabled=0
Rgreceiver.IsBordersEnabled.IsMutable=0
Rgreceiver.IsMatchReceiverResolutionEnabled=1
Rgreceiver.IsMatchReceiverResolutionEnabled.IsMutable=0v Rgreceiver.IsMatchReceiverPhysicalDisplaysEnabled=1
Rgreceiver.IsMatchReceiverPhysicalDisplaysEnabled.IsMutable=0

For additional examples, see the "HP Remote Graphics Software (RGS)" section of the Leostream Choosing and Using Display Protocols guide.

back to top

How do I build a Release Plan that always leaves the user assigned to their desktop?
The Default Release Plan releases the user's desktop back to the desktop's pool as soon as the user logs out of the desktop. After the desktop is released to its pool, the desktop is available for other users. If you want the user to retain their desktop assignment, create a new persistent Release Plan that selects Never from all Release to pool drop-down menus.

If the user is persistently assigned to their desktop, their username appears associated with the desktop on the > Resources > Desktops page even after the user logs out of the desktop. You can manually release the desktop by clicking the Release link associated with the desktop on the > Resources > Desktops page.

back to top

How do I build a Release Plan that monitors how long the user's session is idle?
Use the When Desktop is Idle section of the Release Plan and Power Control Plans to manage the user's desktop after the user has been idle for a specified length of time. You can choose to lock the desktop, disconnect the user, log out the user, or even shutdown the desktop. When logging the user out, you can suspend the logout event until the desktop's CPU drops below a specified threshold for a length of time. See the example for "Performing Actions Based on User and System Idle Time" in Chapter 10 of the Leostream Connection Broker Administrator's Guide for complete instructions.

back to top


Defining End-User Experience

How do I use the Leostream screen management feature?
The Leostream screen management feature allows you to provide a native, and even enhanced, multi-display experience to your end users. By installing the Leostream Agent on the remote desktop and configuring Display Plans in your Connection Broker, the user's remote session intelligently positions windows across multiple displays and allow the user to save and restore window positions based on the number of attached displays.

See the Using Leostream Screen Management for Multiple Displays guide for complete instructions of how to configure display plans and use the Leostream screen management feature.

back to top

How do I control USB device passthrough?
Leostream provides granular control over USB device passthrough when your users connect to their desktops using Leostream Connect. To use the Leostream USB device passthrough feature:

  1. Install the Leostream Agent on the remote desktop, ensuring that the USB device passthrough task is selected during the installation.
  2. Install Leostream Connect on the user's client, ensuring that the USB device passthrough task is selected during the installation.
  3. Turn on the USB device passthrough feature on the Connection Broker > System > Settings page.
  4. Select the Allow Connection Broker to manage USB passthrough in the user's policy.
  5. Use the USB Device Management section in the user's policy to configure which devices the user is allowed to passthrough to their remote desktop.

See the Leostream Connect Administrator's Guide for more information on using the Leostream USB Device Passthrough feature.

back to top


Policy Setup

How do I configure my policy to allow the user to log into either a Windows or a Linux machine?
One policy can assign both Windows and Linux machines. Define different protocol plans to use when connecting to each type of desktop. When defining policies, assign these Windows and Linux protocol plans to the associated Windows and Linux pools.

Note: The Connection Broker chooses which protocol to use based on which port is open on the remote desktop. The Connection Broker does not currently take the client's capability into account then choosing a protocol from the protocol plan.

back to top

What are some common considerations when defining policies and assignments?
Leostream Connection Broker policies are incredibly flexible, allowing you to configure your system specifically for your business needs. The following list indicates some things to consider when working with policies and assignments.

  • In some cases, it is useful to hard-assign desktops to particular users. However, to get the most out of your deployment, use Connection Broker policies to assign resources to users, instead of performing hard-assignments.
  • Once a machine is assigned to a user, the Connection Broker continues to deliver that same desktop to the user whenever they log in. This behavior may reduce system overhead in some Windows environments. Keep in mind, however, that you cannot assign that machine to another user without first releasing the machine from the first user. To maximize resource usage, set the policy to release the desktop back to the pool when the user logs out.
  • In order to save system resources, shutdown or suspend desktops after they is unassigned from a user. Keep in mind, however, that this feature may increase the time it takes for a user to log in to their desktop. Also, if several desktops simultaneously require a reboot, this feature may cause a spike in system resources, such as disk I/O. If you are using this feature, make sure to monitor your system when you have many users simultaneously logging in.
  • Also, suspended machines resume with the same IP address as they were previously assigned. In a DHCP environment, be aware of your DHCP lease expiration period. To use the suspend-and-restore policy feature, ensure that the DHCP lease expiration time is longer than the elapsed time a machine is typically suspended.

back to top


Policy Assignments

How do I assign users to roles and policies using something other than Active Directory group membership?
By default, the Connection Broker creates authentication servers with the Query for group information check box selected. In this case, the first column in the Assigning User Role and Policy section of the Edit Assignments form contains drop-down menus pre-populated with the groups in the authentication server.

If you have a large number of groups or if you want to use an attribute other than group membership when defining assignment rules, deselect the Query for group information option and save the Edit Assignments form. See "Assigning Roles and Policies Base on Any Attribute" in Chapter 14 of the Connection Broker Administrator's Guide for more information.

back to top

How can I test which desktops are offered to a particular user?
Use the Test Login to determine which policy and, therefore, desktop will be offered to a user. To do so:

  • Go to the > Users > Users page.
  • Click the Test Login link
  • Enter the name of the user to test in the User Name edit field. This user does not need to already be in the Connection Broker database.
  • If appropriate, select a domain, location, and client to test the login from.
  • Click Test.

During the test,

  • The Connection Broker queries the Authentication Server for the user’s group membership
  • The Connection Broker assigns a policy based on the group membership
  • The available desktops are selected from the pools in the policy
  • The Connection Broker selects particular desktops for assignment
  • The Connection Broker selects the appropriate remote viewer protocol

back to top


Scalability

How do I build a cluster of Connection Brokers?
A cluster is a group of Connection Brokers that share a common external Microsoft SQL Server 2005 or 2008 database. Clustering Connection Brokers allows you to support more connections per second, while assuring redundancy in the event that one of your servers fails.

The simplest way to create a cluster is, as follows:

  • Install and configure your initial Connection Broker using an internal data base.
  • Once that Connection Broker is configured as required, switch to an external SQL Server database, as follows:
    • Go to the > System > Maintenance page.
    • Select the Switch to another database option.
    • Click Next.
    • Select the Use a remote Microsoft SQL Server 2005, 2008, or 2012 database option
    • Enter the IP address, port, database name, username, and password for your database. If a database with the specified name does not exist, one is automatically created.
    • Enter a value into the Site ID field. All Connection Brokers in the cluster must have a unique ID.
    • Click Save. The Connection Broker downloads the information from its internal data base into the external database.
  • Install the additional Connection Broker. To maximize redundancy, install the brokers on different virtualization hosts.
  • For each additional Connection Broker, switch to the SQL Server database as described in step 2, making sure to give each Connection Broker a unique Site ID.

back to top

What is the "Best Practices" method for updating a cluster of Connection Brokers?
To update a cluster of Connection Brokers, follow the instructions on the Updating Connection Broker Clusters page. To download the instructions, click here.

back to top

How do I ensure that my Connection Broker deployment is production-ready?
The Leostream Connection Broker is a production-class virtual appliance. To ensure a production-class deployment of your overall VDI, create systems that ensure the redundancy, resiliency, and scalability of your deployment, including:

  • Create a Connection Broker cluster that contains sufficient Connection Brokers to handle user logins in the event that a server hosting one of the Connection Broker fails. For added resiliency, when building the Connection Broker cluster, ensure that you place individual Connection Brokers on different servers.
  • Establish a schedule for backing up your Connection Broker database. Implement your site standard database backup procedure, to ensure that your data is protected.
  • Create weekly snapshots of each Connection Broker virtual machine. By backing up the entire Connection Broker virtual machine, you do not need a separate backup procedure for the underlying Connection Broker operating system.
  • Create monthly clones of each Connection Broker virtual machine. Leostream recommends storing these backups in an off-site location. Test your restore process to ensure that the media can be read, and that procedures are correctly documented.
  • Use DNS to configure your Connection Broker IP addresses. Your DNS will round-robin between Connection Brokers during normal operation.
  • Never perform a Connection Broker upgrade without first taking a snapshot of your existing Connection Broker virtual machine. Also, test upgrades in an isolated deployment, before rolling out to your production environment.

back to top


Troubleshooting

Networking

Why am I receiving the “Can't connect to 10.100.5.37:8080 (connect: Connection refused)” error?
Typically, this error indicates that the Connection Broker is blocked by a firewall.

back to top

Why am I receiving the “Unable to scan: protocol error, "500 Can't connect to 10.100.5.37:8080 (connect: No route to host)” error?
Typically, this error indicates there is a DNS error, where the Connection Broker cannot reach other machines.

back to top

Why do I get a "Web site under construction" page?
If the user receives a Web site under construction page, you have another Web server running on the same IP address as your Connection Broker. You must have a unique IP address for the Connection Broker.

Turn off the Connection Broker and confirm that you get the same result.  Reconfigure your system so your Connection Broker has a unique IP address.

back to top


General

Why is the Delete button missing on some of my forms?
The Connection Broker hides the Delete button if the record associated with the form is still in use. For example:

  • Tag: If the Delete button is not available for a tag, that tag is assigned to at least one of your desktops. Look at the Tag columns in the > Resources > Desktops page to determine which desktops are referencing the tag. Edit these desktops so they no longer reference the tag you want to delete.
  • Location: If the Delete button is not available for a location, at least one of your authentication servers uses that location to assign a role and policy to a user. Edit the Assigning User Role and Policy section of all of your authentication servers to ensure that they do not reference this location.
  • Plans: If the Delete button is not available for a plan, at least one of your policies references this plan. Check all the pools in all your policies, and ensure that this plan is not referenced in any of the associated Plan drop-down menus.
  • Policy: If the Delete button is not available for a policy, at least one of your authentication servers can assign that policy to a user. Edit the Assigning User Role and Policy section of all of your authentication servers to ensure that they do not reference this policy.
  • Role: If the Delete button is not available for a role, at least one of your authentication servers can assign that role to a user. Edit the Assigning User Role and Policy section of all of your authentication servers to ensure that they do not reference this role.
  • Authentication Server: If the Delete button is not available for an authentication server, one of your existing Active Directory centers references that authentication server. Check the Active Directory centers in the > Resources > Centers page and ensure that none of these centers point to the authentication server you want to delete.

back to top

What can I do if my Connection Broker disk is full?
If you are using the Connection Broker internal database, you may experience disk-full errors. Typically, disk-full errors occur if you are running your Connection Broker in debug mode, therefore storing large amounts of logging information. The log files may grow to a size that fills the Connection Broker disk, and you may no longer be able to log into your Connection Broker or, in worst case scenarios, be able to successfully boot the Connection Broker virtual machine.

To solve disk-full errors, you can mount the full Connection Broker virtual disk onto a second Connection Broker, and manually clean out the large files. Click here to download a document describing this procedure.

back to top


Authentication Servers and Assignments

Why does my Assignments page take so long to load, or not load at all?
If you selected the Query for group information option when you created your authentication server, the Assignments page attempts to load all your Active Directory groups before drawing the page. If your Active Directory contains a large number of groups, the page draw may be slow or may even time out. To solve this problem:

  • If the page draw is slow, uncheck the Query for Active Directory Group information option at the bottom of the Edit Assignments page and save the form.
  • If the Assignments page will not draw, go to the > Users > Authentication Servers page and delete the Authentication server associated with the assignments page. Then, recreate the authentication server, ensuring that you uncheck the Query for group information option at the bottom of the Add Authentication Server form before saving the form.

back to top

Why can the Connection Broker not locate users in my Authentication server, i.e., what permissions must the account used to create the Authentication Server be granted?
When creating an Authentication Server in your Connection Broker, you must provide the credentials for an account that has Read permissions for User objects. If you are using an Active Directory Center to register physical desktops or blades with your Connection Broker, the user also requires Read permission for Computer objects.

In Active Directory, you can check the access control list (ACL) for the Users group, to determine who has Read permissions for these objects.

  1. In the Active Directory Users and Computers dialog, right-click on the Users node in the console tree.
  2. Select Properties from the right-click menu.
  3. In the Users Properties dialog, go to the Security tab.
  4. Ensure that the account you entered when defining your Authentication Server in the Connection Broker is part of a group included in the Group and user names list. If the user does not fall into any of the groups in this list, you must add the necessary group, or individual user, to this list.
  5. After an appropriate group or user is included in the Group and user names list, check the Permissions list to ensure that this user has Read permissions for users.

If the user has Read permissions in this list, check the Special Permissions (by clicking the Advanced) button to ensure that the account does not inherit a Deny permission.

If the account you entered does not have, or is explicitly denied, Read permissions for User objects, the Connection Broker displays the error LDAP Error: Unable to locate the user when you test the authentication server.

back to top

How do I debug problems with the communication between the Connection Broker and my Authentication Servers?
If you are experiencing any type of problem with the communication between the Connection Broker and your authentication server, try using the Test action to debug the problem. To invoke the Test action:

  • Go to the > Users > Authentication Servers page.
  • Click the Test action associated with the appropriate authentication server.
  • In the form that opens, enter the user name and password for a user you know is in that authentication server.
  • Click Authenticate.

If the authentication server is setup correctly, you see a report describing that user’s record. Some common error messages include the following.

  • Common error: “LDAP Error: Could not bind to “DomainName”: Check the administrator credentials entered in the Search Settings section. See the "Why do I get a bind error when I test my Authentication Server" FAQ article for more information.
  • Could not resolve hostname: Check the DNS record for the host name you entered into the Address edit field.
  • User not found: Check all of the following:
    • The user's credentials were correctly entered in the Test form.
    • The sub-tree entered into the User Login Search section includes the branch that contains the user you tested.
    • The account you used when creating the Authentication Server has Read permissions for the User objects in your Active Directory service.

back to top

Why do I get a bind error when I test my Authentication Server?
Binding is the process of associating the Connection Broker with a specific Active Directory Domain Services object. The Connection Broker is unable to bind with Active Directory if the credentials provided when the authentication server was created are, for example, invalid or expired. If a test of the authentication server produces a Could not bind error, look at the error code at the end of the error string. The following table describes some common error codes and their meaning.

Code

Definition

Notes

525

User not found

The specified username is invalid.

52e

Invalid credentials

The user name is valid, however the password is not correct

530

Not permitted to logon at this time

The user name and password are valid, however the account is restricted from logging in at this particular time of day

532

Password expired

The user name and password are valid, however the password has expired

533

Account disabled

The user name and password are valid, however the account is currently disabled

701

Account expired

The user name and password are valid, however the account has expired

733

User must reset password

The user name and password are valid, however the password must be reset before they can log in

755

Account locked

The user name and password are valid, however the account is locked

back to top

Why did my Connection Broker stop working when I changed the administrator credentials in Active Directory?
The Connection Broker uses the authentication server to authenticate users, identify groups that a user may belong to, and assign policies to users based on these groups. The Connection Broker must be able to log into the authentication server with an account that has read access to the entire LDAP tree.

If you change the password that the authentication server uses to access the LDAP system, you must also change the password in the Connection Broker. The password for the Authentication Server login can be changed on the > Users > Authentication Server page.

back to top


Working with Centers

Why are my centers offline?
The Connection Broker marks centers offline if it cannot reach the center. If the credentials you entered into the center are not correct or are for a user who does not have administrator rights, the center appears offline. The center can also be offline if the server IP address is unreachable.

You can use the Log action on the > Resources > Centers page to get more information. You can also test the credentials you entered for vCenter centers using the Test action.

Note: If you change the password in one of your centers, you must also change the password in Connection Broker. To do this, go to the > Resources > Centers page and select the Edit action associated with that center. For Active Directory centers, go to the > Users > Authentication servers page and select the Edit action for that authentication server associated with the Active Directory center.

back to top

Why is the Active Directory option missing from the Type drop-down menu when I create a Center?
You must create an Active Directory authentication server in the Connection Broker before you can create a Center. To create the authentication server:

  1. Go to the > Users > Authentication servers page.
  2. Click Create.
  3. Select Active Directory in the Type drop-down menu.
  4. Fill in the remaining fields in the Connection Settings and Search Settings sections.
  5. Click Next.
  6. Enter a name for the authentication server.
  7. In the User Login Search section, enter the sub-tree that contains the desktops you want to include in the center.
  8. Click Save.

This Active Directory authentication server can now be used to create an Active Directory Center.

Note: You can use this same authentication server to authenticate users and assign roles and policies.

back to top


Working with Desktops

Why is my > Resources > Desktops page empty?
If your > Resources > Desktops page does not list any desktops, check the following.

  • Is the list being filtered? Switch the Filter this list drop-down menu to No filter and select All from the drop-down menu at the top of each column.
  • If the table is still empty, are your centers online? Go to the > Resources > Centers page and check the Status column for each center.  If your centers are offline, refer to the “Why are my centers offline?” FAQ.
  • If the center is online, try refreshing the center by selecting the Refresh option for that center.

back to top

Why are my users receiving the “No Desktops are Available” warning?
When all desktops are already assigned to users, new users receive the “No Desktops are Available” error message. By default, desktops remained assigned to a user even after the user disconnects.

To resolve this issue:

  • Find out which desktops are assigned, and to which user they are assigned.
  • Modify your policies to release desktops back to their pools when the user disconnects or logs out to ensure that you do not run out of desktops.

To determine which desktops are assigned to users:

  • Go to the > Resources > Desktops page and sort the list backwards by the User column. (The icon next to the User column header should point down, which may require you to click twice on the column header). Desktops that are assigned to users appear at the top of the desktop list.
  • Go to the > Resources > Pools page and click on the number in the Assigned column of the All Desktops pool.  A table opens, listing each assigned machine and its owner.

To manually release desktops back to their pools and, hence, make the desktop available for assignment, go to the > Resources > Desktops page and select the Release action for that desktop.

To modify your policies to release desktops back to their pools, for each pool in the Edit Policy page, assign a release plan that automatically releases desktops back to their pools when the user logs out.

back to top

Why are desktops marked "Unreachable", "Unavailable", or "Duplicate"?
The Unreachable status indicates that the desktop failed the port check specified in the user's policy.  This port check is performed to determine when the Connection Broker needs to offer the user a desktop from the backup pool.

The Connection Broker continues to offer unreachable desktops to users, and will automatically switch the desktop status back to available when the desktop is back online.

The Unavailable status indicates that the Connection Broker will not assign that desktop to the user. The Connection Broker marks newly discovered/provisioned desktops as Unavailable, if you select the Set newly-discovered Desktops to “Unavailable” option on the Edit Center page. You can also manually set the status of a desktop to Unavailable using the Edit Desktop dialog.

The Duplicate status indicates that a desktop is included in the > Resources > Desktops page more than once. Typically, this occurs when the Connection Broker discovers the desktop in multiple centers. The Connection Broker does not assign machines with a status of Duplicate.

To remove Duplicate entries, you must delete the center that contains them.

Note: If you have a virtual machine in vCenter center registered in Active Directory center, the Active Directory entry is marked as the duplicate.

If you have an Active Directory center and use DNS names for machines, you may see duplicate machines if you have several DNS records that point to the same IP address.  You cannot indicate to the Connection Broker which record is real, and which is the duplicate. To remove these duplicate entries, you must remove the stale DNS records.

back to top

Why does my ActiveX RDP session not launch on a Windows Vista client?
If the Connection Broker Web interface displays a white box with a black outline, and the lower corner indicates the page is “Done”, the ActiveX RDP control is unable to launch when your users try to connect to their VMs.

If you are using an SSL VPN, this problem may be related to the Web browser's security zones. By default, Microsoft Internet Explorer version 7 does not allow the SSL VPN site and, therefore, does not pass through the appropriate permissions. To solve this problem, add your SSL VPN site to the list of trusted sites in the Security tab of the Internet Options dialog.

back to top

Why are the Leostream Agents Marked “Unreachable” or “Unresponsive”?
The Unreachable status indicates that the Connection Broker cannot call out to the Leostream Agent. This typically occurs when the Leostream Agent is stopped or is blocked by a firewall. Check the firewall status of the Leostream Agent on the desktop.

The Unresponsive status indicates that the Connection Broker can call out to the Leostream Agent, but the agent is not responding back. This typically occurs when the Leostream Agent is not properly configured for firewalls or SSL communication, or if the agent is pointing at a different Connection Broker. Ensure that the Connection Broker VIP is set correctly on the Connection Broker > System > Network page.

back to top


Working with Clients

Why do I get an "Unconnected sockets not implemented" error when using the Java version of Leostream Connect?
Some versions of the Java Runtime Environment contain an issue where the HTTPS protocol handler fails to create a socket. In particular, the JRE version included with Sun Secure Global Desktop (JRE 1.6.0_13) includes this error. If you encounter this error, update the JRE to version 1.6.0_21.

back to top