Skip to content
Freddie Akeroyd edited this page Mar 14, 2022 · 7 revisions

Proposed structure for VNC Cloud Groups:

Proposed procedure for setting up VNC Cloud access:

Owner / Admin (Single Experiment Controls group member)

  1. Enables "global" Two-Factor Authentication for all users of the VNC Cloud system, in accordance with site security advice.
  2. Creates "Machine Groups" in VNC portal all within the ISIS "Team", one per physical ISIS instrument e.g. "LMX" (See diagram above)
  3. Creates "People Groups", one per instrument (e.g. "LMX Instrument Scientists" or perhaps "LMX Users" containing instrument scientists and external users for simplicity)
  4. Grants access to Machine Group to appropriate People Group
  5. Invites Instrument Scientists (IS) to create a VNC account via VNC portal (invitation email)
  6. Grants "Manager" privilege to IS
  7. Adds IS to appropriate People Group(s)

Manager (IS or other ExptCtrl member)

  1. Creates VNC Cloud account using link in invitation email from Owner/Admin
  2. Sends emails to external users via VNC Cloud portal inviting them to create a VNC account
  3. Grants "User" privilege to new users
  4. Adds users to appropriate People (instrument) Group(s) (and removes when experiment over)
  5. (Optional if willing & able) Installs VNC Server on the relevant machine(s) (e.g. NDCxxx & NDLxxx) via conventional VPN and RDP. (Details in "Deployment" section of VNC Cloud portal). More help in VNC Article
  6. Enables "Cloud Connectivity" in Server options. More help in VNC Article
  7. Adds "local" computers (viewing, analysis, etc.) to Machine Group(s) (See diagram above)
  8. Performs below steps to use VNC client

User (External facility user):

  1. Creates VNC cloud account using link in invitation email from IS
  2. Downloads, installs and runs VNC client.
  3. Logs in and is presented with list of machines authorised to connect to
  4. Connects to a machine, typically a general access cabin PC (NDCxxx) or analysis machine (NDLxxx) [at this point has same access as if physically present in instrument cabin]
  5. Connects to instrument control computer (NDXxxx) via RDP (if session not already established)

Read/Write and Read-only

The Read Only and Read/Write access is to be controlled by changing the privileges on the viewing machine's standard instrument user account (ISUA).

This will be for the simplest case for when the viewing machine is running Windows and has (ISIS instrument) standard local user and admin accounts, although the principal still applies to a Linux analysis machine and other cabin machines.

Procedure:

  1. Instrument scientist adds ISUA to access list in "Users and Permissions" section of VNC Server options
  2. IS changes permissions in VNC server settings for ISUA to be either R or R/W to suit experiment
  3. User runs local VNC client and logs in using their personal account
  4. User sees list of available machines and connects to one using ISUA
  5. Views (if R only and connection previously established by IS) OR
  6. Connects (if R/W) to screen of instrument control computer via RDP if no active session, or "local" VNC client (as if in cabin in person)
  7. Instrument scientist sets privileges of ISUA back to Read Only after experiment ends
  8. (Optional) IS removes user from "Instrument People group" in VNC Cloud portal

See VNC article for more information.

NB

When connecting using an account which has Read Only access, the Users will have no control over the remote computer whatsoever, not even being able to connect to the control machine. This option is severely limited (by design) and so relies heavily on the IS to create and leave the RDP session to the control machine in a state which will provide sufficient information to their Users.

The Read / Write option on the other hand, offers full control of the remote computer and so the IS needs to consider carefully the implications of allowing Users to connect with this privilege level.

Troubleshooting

If you can connect via cloud VNC but get a blank screen that you can do nothing with, this may be because no monitor is attached to the computer. The cloud VNC needs to start the vnc server program in service mode (running as a windows service), and this seems to need a screen of some sort. We run VNC server in user mode on the NDX and this is happy just having an active remote desktop session rather than a screen, but user mode only allows point to point rather than cloud connections.

We have purchased some "screen dongles" that can be used instead of a monitor, these attach to e.g. the display port adapter on the PC.

Clone this wiki locally