Document Actions
Chapter 2. ThinLinc Architecture
Table of Contents
- 2.1. Session Overview
The goal of this chapter is to give a technical overview of how the system works for someone who will install or maintain a ThinLinc installation.
ThinLinc is a product concept for managing server based computing. The system is largely based on open source software, which has led to an expansion of the concept to encompass solutions for authentication, availability systems, emulations and conversion between different computer systems. ThinLinc can be used as a gateway between different types of clients and a large number of base systems.
The system architecture allows an existing infrastructure to be maintained while the new architecture is gradually introduced to the organization. The system can be launched along side of the existing systems for a gradual migration to a new platform, and at the same time it acts as a link or gateway between the existing systems.
The architecture is flexible in order to handle larger organizations with autonomous office applications or functions, with maintained management and security. The system can be supplemented with an automatic system for installation, configuration and administration of the client hardware, for instance through the use of PXE. It's also possible to create different user groups. In this way departments with special needs are easily administrated in the case of adaptations or user-driven application development.
Figure 2.1 gives an overview of the ThinLinc architecture.
Several types of clients can be used to connect to a ThinLinc system. There are clients for Linux and Windows as well as a client for any Java-enabled web browser. ThinLinc also contains a special client operating system, the ThinLinc Client Operating System (TLCOS) that can be used to convert an old PC to a dedicated Thin Client, something that can be a great cost-saver.
The clients are used to connect to a ThinLinc system located on the Local Area Network (LAN) or on a Wide Area Network (WAN) such as the Internet. Depending on the network type and the bandwidth available, several bandwidth-saving algorithms can be used to provide good performance even over narrow-banded links. Encryption is used to protect all information sent between the client and the server and vice versa.
When a user connects to a ThinLinc server, a session is created. This session is the user's starting point for running applications either on the ThinLinc server(s) or on other servers reachable from the ThinLinc server. ThinLinc has a Single Sign-On (SSO) mechanism that enables passwordless but secure logins to for example Windows Terminal Servers and other Unix Servers running special applications.
The ThinLinc servers can run either Linux or Solaris. There is support for High Availability and advanced two-level load balancing.
When a user logs in from a ThinLinc client, the following will happen:
The client establishes a SSH tunnel to the server entered in the server field of the client interface. If it fails setting up the tunnel, then the procedure will be interrupted and an error message displayed.
The client tries to authenticate against the VSM server, through the SSH tunnel. The VSM server (VNC Session Manager) is the main process of ThinLinc, responsible for allocating and keeping track of user sessions.
If the authentication succeeds, the server will check if there already exists a session for the user. If there is a session, then information about it will be returned. If there is no session a new will be started on a terminal server and information about it will be returned. If more than one terminal server exists, load balancing will be used to select which server to start a session on.
The client now disconnects the SSH tunnel to the VSM server and checks the information it received to see which terminal server it should connect against.
The client now establishes a new SSH tunnel to the VSM agent server it received information about from the VSM server. Tunnels for sound and serial port forwarding are established if enabled, and a tunnel for VNC is setup unless ThinLinc has been configured not to encrypt VNC traffic. All tunnels are multiplexed over the same SSH connection.
The client now starts the VNC viewer. VNC will either run against a local port on the client machine or directly against the server, depending on whether encryption is enabled or not.