Settings Glossary#

In this section we describe all of the settings available in the config file.

Note

All changes to Scyld.Auth settings except Scyld.Auth.Enabled take effect without a service restart.

Server.AdvancedSettings#

Advanced Settings, see Settings Menu

Server.AdvancedSettings.Enabled#

Set to true to enable the Advanced Settings Tool on the client. A client connected as an OS user who is member of the administrator group (Windows) or the irw-wheel (Linux, MacOS) can use this tool to configure the server.

Defaults to true.

Server.AdvancedSettings.AdminOnly#

When set to true access to the Advanced Settings Tool is limited to the configuration file user. See Config File Authentication

Defaults to false.

Server.AdvancedSettings.GuestAccess#

Controls the access of guest to the Advanced Settings Tool on the client. When set to true, any guest can access this feature when they get control, such as access to the server’s keyboard.

Be aware that a server restart will disconnect any guests, so the host has to issue a new invite.

Defaults to false.

Server.Audio#

Audio forwarding related settings, see Toggle Audio

Server.Audio.Enabled#

Determines if fetching the remote server’s audio is allowed. Defaults to true.

If true, the remote server’s audio can be streamed.

If false, the remote server’s audio cannot be streamed.

When Multi-Session is enabled, audio is not supported on the host session.

Added in v10.0.0.

Server.Audio.Output.BufferTime#

The buffering time (in seconds) for the audio output stream.

Lowering the time improves synchronization with the video stream, but may result in more playback skipping.

Increasing the time results in a more stable playback, but adds latency to audio playback and causes it to be less synchronized with the video stream.

Note

If you are using devices that add additional latency (such as Bluetooth speakers), then lowering this value may be beneficial.

Defaults to 0.020.

Changed in v10.2.0.

Server.Audio.Output.SampleRate#

Determines the audio sample rate in Hz. Higher sample rates lead to better audio quality, but consume more bandwidth. Supported values are 96000, 48000, 44100, and 22050.

Note

CD audio quality can be achieved with a sample rate of 44100 Hz and a format of s16le.

Defaults to 44100.

Updated in v11.3.0. Added new supported values.

Server.Audio.Output.Stream.Format#

Determines the audio output format. Note that audio bit depth (i.e., bits per sample) differs for each of the supported PCM formats below. Higher bit depth may improve audio quality, but will consume more bandwidth.

Note

CD audio quality can be achieved with a sample rate of 44100 Hz and a format of s16le.

Format	Description
`s8`	PCM 8-bit signed integer little endian
`s16le`	PCM 16-bit signed integer little endian
`s24le`	PCM 24-bit signed integer little endian
`f32le`	PCM 32-bit floating point little endian

Defaults to s16le.

Added in v10.2.0.

Server.Audio.Output.Stream.Device#

Linux Only.

Determines the Pulseaudio monitor sink to fetch audio from on the server. These names must end with .monitor. Usually this value is automatically detected and updated to reflect the operating system’s default audio device.

To force the system to use a specific device, use the command: pactl list short sinks to see a list of the device names. In the example below, there are two available sinks:

[root@server ~]# pactl list short sinks
0   alsa_output.pci-0000_00_04.0.analog-stereo  ...(additional text)...
1   alsa_output.pci-0000_00_05.0.analog-stereo  ...(additional text)...

To select the first device, set the value of this setting to: alsa_output.pci-0000_00_04.0.analog-stereo.monitor.

Defaults to auto.

Added in v10.0.0.

Server.Audio.Output.SampleRateAdjust#

Sets the adjustment for the sample rate when server and client rates drift.

Defaults to 1.01.

Added in v10.0.0.

Server.Audio.Output.StartDelay#

Sets the initial delay (in fractions of a second) before the playback starts. A higher value may prevent noise due to empty sample buffer, but also adds delay to the playback.

Defaults to 0.050.

Added in v10.0.0.

Server.Audio.Output.BitsPerSample#

Sets the bits per sample.

Defaults to 16.

Added in v10.0.0.

Server.Audio.Output.SamplesPerFrame#

Defines the chunk size used during the transmission of audio data.

Defaults to 4096.

Added in v10.0.0.

Server.Audio.Output.Threshold#

Sets the audio output threshold.

Defaults to 0.150.

Added in v10.0.0.

Server.Auth#

Authentication Settings, see Server Authentication

Server.Auth.Enabled#

Determines if authentication is enabled and valid credentials are required to sign-in (recommended).

Defaults to true.

If false, then all authentication is disabled and any credentials can be used to sign-in. Guest invites are also disabled in this case.

Note

Changing this value only takes effect after a service restart.

Server.Auth.AllowedGroups#

Limits access to the server to users which are members of any group listed by this setting (currently Linux only).

By default not set.

Server.Auth.ExternalSignInPage#

A URL to your organization’s custom sign-in page. When this value is set to a non-empty string, the normal sign-in user interface is replaced with a link to the custom sign-in page.

Note

Setting this value does not enable or disable any authentication protocols. Users may still be able to sign in using ajax calls even if the normal sign-in user interface is disabled.

Added in v9.1.

Server.Auth.Username#

Declares a username to be used in combination with the password defined by Server.Auth.ShadowPassword at the ICE RemoteWare sign-in page.

Config File Authentication can be disabled by commenting or removing Server.Auth.Username and Server.Auth.ShadowPassword. This must be specified with Server.Auth.ShadowPassword and is not necessarily the same as the username used by the remote operating system.

Note

Changing this value takes effect without a service restart.

Changed in v5.0.0.

Server.Auth.ShadowPassword#

A shadowed password used to sign-in to the ICE RemoteWare sign-in page. Config File Authentication can be disabled by commenting or removing Server.Auth.Username and Server.Auth.ShadowPassword. The format is as follows:

$6$<salt>$<hash>

The initial 6 value should never be changed and signals that SHA-512 should be used. The <salt> and the plain text password are used to create the hashed password using the UNIX crypt method. See http://linux.die.net/man/3/crypt for more information on UNIX crypt.

Warning

Even though the ShadowPassword value encrypts your password, its contents should remain private. If you suspect that any part of the ShadowPassword has been compromised, change your password immediately using the password update utility:

Linux: sudo ice-remoteware.sh --passwd
Windows: ice-remoteware.exe /passwd
MacOS: sudo ice-remoteware --passwd

Note

Changing this value takes effect without a service restart.

Changed in v11.1.0.

Server.Auth.MinPasswordLength#

The built-in password updater uses this value to require a minimum password length for Server.Auth.ShadowPassword and Server.Broker.ShadowPassword.

Defaults to 6.

Note

Changing this value takes effect without a service restart.

Changed in v11.1.0.

Server.Auth.FailAttempts#

The number of unsuccessful sign in attempts a client is allowed before the server temporarily rejects future requests from that client for a time period specified by Server.Auth.FailDelay. This helps reduce brute force attacks.

Note

Changing this value takes effect without a service restart.

Changed in v5.0.0.

Server.Auth.FailDelay#

The length of time that the server will reject sign in requests from clients that repeatedly fail to sign in. See Server.Auth.FailAttempts for more information.

Note

Changing this value takes effect without a service restart.

Changed in v5.0.0.

Server.Auth.OnlyOSUser#

When set to true, only the currently logged in username can be used to log into the server. If no user is logged in, any available username can be chosen.

This does not affect the configuration file admin user.

Defaults to true.

Server.Auth.HardenedConfig#

If set to true, the server disables the following configuration settings by default:

Server.Clipboard.Copy.Enabled: Copying clipboard from server to client
Server.Clipboard.Paste.Enabled: Pasting client clipboard to server
Server.FileDownload.Enabled: Downloading files from the server
Server.FileUpload.Enabled: Uploading files to the server
Server.AdvancedSettings.Enabled: Advanced settings editor
Server.LogViewer.Enabled: Showing log files on the client
Server.License.Upload.Enabled: Uploading licenses to the server
Server.Collaboration.Guests.Enabled: Inviting guest clients to current session
Server.VirtualHere.Enabled: USB forwarding

If any of the listed features should be supported by the server, they need to be explicitly activated in the configuration.

The server also sets the defaults to true for the following features:

Server.Misc.AutoLock.Enabled: OS locking of the desktop
Server.UserNotifications.Enabled: Notify OS user of events

Defaults to false.

Server.Auth.ScyldCloudAuth.URL#

The URL to the Scyld Cloud Auth authentication web service. Only applies to Scyld Cloud Manager products.

Note

Changing this value takes effect without a service restart.

Changed in v5.0.0.

Server.Auth.ScyldCloudAuth.Allow#

A list of <Username></Username> elements. Case insensitive. Each <Username> element enables a username to be authenticated by ScyldCloudAuth. Username elements can use asterisk wildcard characters (i.e. *@penguinsolutions.com enables all usernames that end in @penguinsolutions.com).

Note

Changing this value takes effect without a service restart.

Changed in v11.0.0.

Server.Auth.ScyldCloudAuth.Deny#

A list of <Username></Username> elements. Case insensitive. Each <Username> element disables a username to be authenticated by ScyldCloudAuth. Usernames that are mentioned by both the Deny and Allow list are denied.

Username elements can use asterisk wildcard characters (i.e. *@penguinsolutions.com enables all usernames that end in @penguinsolutions.com).

Note

Changing this value takes effect without a service restart.

Changed in v11.0.0.

Server.Auth.ScyldCloudAuth.ApiKey#

A string that uniquely identifies the server. This is required to make privileged Scyld Cloud Auth web service calls.

Added in v9.1.

Server.Auth.ScyldCloudAuth.ApiSecret#

A string that represents a shared secret between the ICE RemoteWare product and the Scyld Cloud Auth server. This is required to make privileged Scyld Cloud Auth web service calls.

Added in v9.1.

Server.Auth.DefaultTimeout#

The lifetime (in seconds) of a session token that starts upon successfully signing in. Session tokens let you access protected resources from the server such as creating a new remote-visualization connection. Increasing this value means a longer period of time you can access the resources without signing in again.

Existing remote-visualization connections are unaffected by session token timeouts. Defaults to 60 seconds.

Note

Changing this value takes effect without a service restart.

Changed in v5.0.0.

Server.Auth.OSAuth.Enabled#

Determines if authentication using OS credentials is enabled. Defaults to true.

Important

While config file or ScyldCloudAuth usernames can be used to sign in to the ICE RemoteWare software at any time, only a single set of OS credentials can only be used to sign-in at a time. This prevents different OS credentials from signing in at the same time.

Note

Changing this value takes effect after a service restart.

Added in v6.1.0.

Server.Auth.OnSignIn#

The path of a script to execute immediately after signing in. The script is passed the system account name of the user as an argument. By default, this is not set, but it can be used for custom sign-in initialization.

Note

Changing this value takes effect without a service restart.

Changed in v5.0.0.

Server.Auth.OSAuth.PAM.Service#

The service name of the PAM (Pluggable Authentication Module) service. The service is defined by the file /etc/pam.d/service name or in /etc/pam.conf.

Defaults to login.

When changing the PAM method, it might be necessary to change the login hints on the sign-in page, see Server.Customization.UserNameInput and Server.Customization.PasswordInput

Added in v8.0.0.

Server.Broker#

Server.Broker.Username#

Declares a username to be used in combination with the password defined by Server.Broker.ShadowPassword for accessing API calls only.

Config File Authentication can be disabled by commenting or removing Server.Broker.Username and Server.Broker.ShadowPassword. This must be specified with Server.Broker.ShadowPassword and is not necessarily the same as the username used by the remote operating system.

Note

Changing this value takes effect without a service restart.

Changed in v11.0.0.

Server.Broker.ShadowPassword#

A shadowed password used to sign in on the ICE RemoteWare sign-in page. Config File Authentication can be disabled by commenting or removing Server.Broker.Username and Server.Broker.ShadowPassword. The format is as follows:

$6$<salt>$<hash>

The initial 6 value should never be changed and signals that SHA-512 should be used. The <salt> and the plain text password are used to create the hashed password using the UNIX crypt method. See http://linux.die.net/man/3/crypt for more information on UNIX crypt.

Warning

Even though the ShadowPassword value encrypts your password, its contents should remain private. If you suspect that any part of the ShadowPassword has been compromised, change your password immediately using the password update utility:

Linux: sudo ice-remoteware.sh --broker-passwd
Windows: ice-remoteware.exe /broker-passwd
MacOS: sudo ice-remoteware --broker-passwd

Note

Changing this value takes effect without a service restart.

Changed in v11.1.0.

Server.Clipboard#

Server.Clipboard.AutoSync.Enabled#

When set to `true users of the Native Client can choose to automatically sync server and client clipboards. This setting requires copy and paste of clipboards to be enabled.

Defaults to true.

Server.Clipboard.AutoSync.Notifications#

When set to true all clipboard copy operations will trigger a notification on the client UI.

Defaults to false.

Server.Clipboard.Copy.Enabled#

Enables copying the clipboard from the server to the client.

See Copy Remote To Local Clipboard

Defaults to true.

Server.Clipboard.Copy.MaxSize#

This setting controls the maximum size of clipboard content allowed to be copied from the server to the client.

Default is 10m.

Server.Clipboard.Copy.Bandwidth#

Controls the maximum bandwidth used when copying server clipboard content to the client.

Default is 64m.

Server.Clipboard.Copy.FragSize#

Defines the size of the fragments sent during the transfer of the server clipboard to the client. This can be used to control the traffic patter during this operation as smaller fragments prevent peaks in bandwidth consumption Keep in mind that a smaller value puts more load on the clients.

Default is 131072.

Server.Clipboard.Paste.Enabled#

When set to true, clients can paste the contents of their clipboard to the server’s clipboard.

See Paste Local To Remote Clipboard

Default is true.

Server.Clipboard.Paste.KeyboardShortcut#

When set to true the user can use OS shortcuts to paste the server clipboard:

To paste text from a local Linux/Windows clipboard into a remote Linux/Windows desktop, press Ctrl+v.

To paste text from a local MacOS clipboard to a remote Linux/Windows desktop, use your browser’s menu system to select Edit > Paste. This transfers the local clipboard to the remote clipboard. Once this is done, you can use Ctrl+v or use your remote application’s paste feature.

This feature is disabled by default as it would interfere with a server-only workflow. Only when combining a MacOS server/client with a Linux/Windows client/server the system can distinguish between a local and a remote paste action.

Default is false.

Also, see notes at Keyboard Menu

Server.Clipboard.Paste.Bandwidth#

Controls the maximum bandwidth used when copying the client clipboard to the server.

Default is 64m.

Server.Clipboard.Paste.FragSize#

Defines the size of the fragments sent during the transfer of the client clipboard to the server. This can be used to control the traffic patter during this operation as smaller fragments prevent peaks in bandwidth consumption Keep in mind that a smaller value puts more load on the clients.

Default is 131072.

Server.Collaboration#

Collaboration framework related setting, see Collaboration

Server.Collaboration.Guests.Enabled#

When set to true, clients can invite guests to log in via a unique server-generated link. Guests are not authentificated by the server. This feature can be turned off by setting the value to false.

Defaults to true.

Server.Collaboration.Guests.MaxInviteTime#

Time (in seconds) an invite link to join the session as guest is valid.

Defaults to 7200.

Server.Collaboration.Guests.Reconfirm#

When set to false, a guest using the invite link can connect to the server without a confirmation by the client that generated the invite.

Defaults to true.

Server.Collaboration.MaxClientCount#

The maximum number of clients that can be connected at a time.

Note: This doesn’t only apply to guests, but also to other connected users.

Defaults to 6.

Added in v3.0.0.

Server.Customization#

Server Web page customizations, for more information see Local-site Customization

When you are altering fields or labels on the sign-in page with HTML statements, use < for “<” and > for “>”. Use for example “<h2>” instead of “<h2>”.

The Advanced Settings page will translate any tags automatically.

The css file signin-cust.css in the wwwroot directory provides some editable style classes. While all other files in this directory are static, this one can be changed.

Server.Customization.MainPageTitle#

Sets the title of the main page.

Default is ${HOSTNAME} - ${BRAND_TM_HTML}.

Server.Customization.SignInCaption#

Defines the caption displayed on the sign-in page.

Default is ${HOSTNAME}.

Server.Customization.SignInTitle#

Sets the title on the sign-in page and on the tabs of the connecting browser.

Default is Sign In - ${HOSTNAME}.

Server.Customization.UserNameInput#

Sets the description of the user field on the sign-in page. Use this setting to adapt the sign-in page to your authentication method.

Default is Username or Email.

Server.Customization.PasswordInput#

Sets the description of the password field on the sign-in page. Use this setting to adapt the sign-in page to your authentication method.

Default is Password.

Server.Customization.SignInFailWarning#

Sets the warning message after an unsuccessful sign-in attempt. Use this guide the user based on your authentication method.

Default is Incorrect username or password.

Server.Customization.SignInWrongGroupWarning#

Sets the warning message after an unsuccessful sign-in attempt, when a user is not a member of any group allowed to connect.

Default is User is not member of any group allowed to sign-in.

Server.Customization.SignInHint#

The text of this setting will be shown on the sign-in page to guide the user based on the authentication method used. It accepts HTML code to format the message.

Default is not set.

Server.Customization.SignInCaptionGuests#

Defines the caption displayed on the sign-in page for guest logins.

Default is ${HOSTNAME}.

Server.Customization.SignInTitleGuests#

Sets the title on the sign-in page for guests and on the tabs of the connecting browser.

Default is Guest Sign In - ${HOSTNAME}.

Server.Customization.Message.Text#

Allows the system admin to show each user a small message when they log in, such as reminding the user of important policies on this specific machine.

Not set by default.

Server.Customization.Message.Timeout#

Timeout (in seconds) of the initial welcome message.

Default is 5.

Server.FileUpload#

Upload files to server, see File Handling Menu

Server.FileUpload.Enabled#

When set to true, users are allowed to upload files from the client to the server.

When set to false, no files can be uploaded.

Defaults to true.

Added in v13.2.1.

Server.FileUpload.Directory#

Directory to store uploaded files on the server.

Defaults to ${HOME}/Downloads.

Added in v13.2.1.

Server.FileUpload.MaxFileSize#

Maximum file size a client is allowed to upload to the server.

Defaults to 100M.

Added in v13.2.1.

Server.FileUpload.CreateDirectory#

When set to true, the server creates the download directory on behalf of the user. See Server.FileUpload.Directory

When set to false, no directory is created.

Defaults to true.

Added in v13.2.1.

Server.FileDownload#

Download files from server, see File Handling Menu

Server.FileDownload.Enabled#

When set to true, clients are allowed to download files they have access to.

When set to false, no file downloads from the server are supported.

Defaults to true.

Added in v13.2.1.

Server.FileDownload.Directory#

Directory of files to be downloaded to client.

The server monitors this directory and, when a new file is detected during an active client session, the server automatically downloads the file(s) to the client. Any files found in the directory at the start of the client session are ignored until the user clicks on Download Files from Server in the File Menu on the client UI. The server will then download all files in the directory to the client.

For details, see File Handling Menu

Defaults to $ {HOME}/Desktop/Uploads.

Added in v13.2.1.

Server.FileDownload.CreateDirectory#

When set to true, the server creates the monitored directory on behalf of the user. See Server.FileDownload.Directory

When set to false, no directory is created.

Defaults to false.

Added in v13.2.1.

Server.FileDownload.MonitorDirectory#

When set to true, the server monitors a special directory on behalf of the user. When false the server ignores the contents of this directory.

. See Server.FileDownload.Directory

Server.FileDownload.MaxFileSize#

The maximum size a file might have when being downloaded to the client.

Defaults to 100M.

Server.License#

For information on license management, please see: Flexera License Management.

Server.License.Upload.Enabled#

When set to true, the user can upload a new or updated license from the client.

Defaults to true.

Added in v13.2.1.

Server.License.FileName#

Specifies a license file path or a port@host address where an ICE FlexLM license server is hosted. If the default license server port is being used (27002), then @host is also acceptable.

Defaults to ice-remoteware.lic.

Added in v5.0.0.

Server.LocalCursor#

Server.LocalCursor.Enabled#

Determines if the client’s local cursor should be shown instead of the remote cursor. Enabling local cursor typically improves the user experience.

Defaults to true.

Added in v2.2.0.

Server.Log#

Server.Log.Level#

The verbosity of output in the log file.

The LogLevel value can be any one of the following (ordered least-to-most verbose): ‘none’, ‘fatal’, ‘critical’, ‘error’, ‘warning’, ‘notice’, ‘information’, ‘debug’, and ‘trace’.

Server.Log.ServiceLogFile#

A path to the log file of the ICE RemoteWare service. By default, this can be found in the directory of the ICE RemoteWare executable and is named ice-remoteware-service.log. For more information on log output, see Log Output.

Changed in v5.0.0. Previously named Server.ServiceLogFile in v2.2.0. Default value changed

Server.Log.Format#

Format of the output. Defaults to: %Y-%m-%d %H:%M:%S.%i:%q%q:%t

The format pattern is used as a template to format the message and is copied character by character except for the following special characters, which are replaced by the corresponding value.

Log Format Special Characters#
Pattern	Description
%s	message source
%t	message text
%l	priority level (1 .. 7)
%p	priority (Fatal, Critical, Error, Warning, Notice, Information, Debug, Trace)
%q	abbreviated message priority (F, C, E, W, N, I, D, T)
%P	process identifier
%T	thread name
%I	thread identifier (numeric)
%N	node or host name
%U	source file path (empty string if not set)
%u	source line number (0 if not set)
%w	date/time abbreviated weekday (Mon, Tue, …)
%W	date/time full weekday (Monday, Tuesday, …)
%b	date/time abbreviated month (Jan, Feb, …)
%B	date/time full month (January, February, …)
%d	date/time zero-padded day of month (01 .. 31)
%e	date/time day of month (1 .. 31)
%f	date/time space-padded day of month ( 1 .. 31)
%m	date/time zero-padded month (01 .. 12)
%n	date/time month (1 .. 12)
%o	date/time space-padded month ( 1 .. 12)
%y	date/time year without century (70)
%Y	date/time year with century (1970)
%H	date/time hour (00 .. 23)
%h	date/time hour (00 .. 12)
%a	date/time am/pm
%A	date/time AM/PM
%M	date/time minute (00 .. 59)
%S	date/time second (00 .. 59)
%i	date/time millisecond (000 .. 999)
%c	date/time centisecond (0 .. 9)
%F	date/time fractional seconds/microseconds (000000 - 999999)
%z	time zone differential in ISO 8601 format (Z or +NN.NN)
%Z	time zone differential in RFC format (GMT or +NNNN)
%L	convert time to local time (must be specified before any date/time specifier; does not itself output anything)
%E	epoch time (UTC, seconds since midnight, January 1, 1970)
%v[width]	the message source (%s) but text length is padded/cropped to ‘width’
%[name]	the value of the message parameter with the given name
%%	percent sign

Server.Log.FileName#

A path to the log file of the ICE RemoteWare server. By default, this can be found in the directory of the ICE RemoteWare executable and is named ice-remoteware.log. For more information on log output, see Log Output.

Changed in v5.0.0. Default value changed.

Server.Log.FileSize#

Sets the maximal size of the server’s log files (in KB).

Defaults to 24576.

Server.Log.SystemLog.Enabled#

When set to true the server will use the operating system logging facility (Linux only).

Defaults to true.

Server.LogViewer#

Expose logs on client page, see Settings Menu

Server.LogViewer.Enabled#

Set to true to show a link to the server’s logfiles in the Settings menu.

See Server.LogViewer.ServiceLog and Server.LogViewer.AccessLog.

Defaults to false.

Server.LogViewer.AdminOnly#

When set to true access to the LogViewer is limited to the configuration file user. See Config File Authentication

Defaults to false.

Server.LogViewer.GuestAccess#

Controls the access of a guest to the exposed log files in the Settings menu. When set to true, guests can access the log files.

Defaults to false.

Server.LogViewer.ServiceLog#

When set to true, the service log file is exposed in the client UI.

Defaults to false.

Server.LogViewer.AccessLog#

When set to true, the access log file is exposed in the client UI.

See Server.Network.Access.Logger.FileName

Defaults to false.

Server.Misc#

Server.Misc.AutoLock.Enabled#

Determines if the ICE RemoteWare software calls on the OS to lock the desktop upon disconnecting from the web page.

Defaults to false.

Warning

In Linux, screen locking is achieved by entering Ctrl+Alt+l on behalf of the user. While this will lock the screen for most, this feature is not guaranteed to work on all Linux systems.

Changed in v15.0.3. Previously named Server.AutoLock

Updated in v5.0.0.

Server.Misc.IdleUserTimeout#

The length of time (in minutes) after which an idle user gets automatically disconnected. This feature is disabled if value is 0 or less.

This value does not affect MultiSession guests, see Server.MultiSession.Guests.MaxIdleTime

Defaults to 0.

Changed in v15.0.3. Previously named Server.IdleUserTimeout Added in v5.0.0.

Server.Misc.LocalHostRestricted#

When set to false, host users that connect to a ‘localhost’ server are eligible to be automatically assigned control of the keyboard and mouse. This may be useful for certain VPN solutions that map remote addresses to ‘localhost’ addresses.

When set to true, host users that connect to a local machine can only receive control of the keyboard and mouse if it is assigned through the user interface.

Defaults to true.

Added in v12.3.0.

Server.Misc.StartDelay#

Specifies a sleep time to delay the start-up of the ICE RemoteWare software in seconds.

Windows service only.

Defaults to 2.

Added in v5.0.0.

Server.Misc.UnlockWelcomeScreen#

When set to true, the server will automatically send a CTRL-ALT-DEL to the GUI to unlock to OS login.

if not set, the server will enable this feature for Windows server OSes.

Only available on Windows.

Server.Mouse#

Server.Mouse.Enabled#

When set to false, clients are not given the control over the cursor on the server.

Defaults to true.

Server.MultiSession#

Multi Session related variables, see Multi Session (Linux only).

Server.MultiSession.Enabled#

Enables Multi-Session on the server. When this feature is enabled, all connecting clients are redirected to their private X11 server, running under the user id of the connected client.

Default is false.

Server.MultiSession.HostAdmins#

This variable defines a list of OS users who connect directly to the host server and not to a guest X11 server. When this variable is not set all connecting clients will be redirected to their own X11 session. Only the admin user defined in the config file will always directly connect to the host.

Default is not set.

Server.MultiSession.GPUForwarding.Enabled#

When this variable is set to true the server will assign a GPU to the guest session of the client. For more details see Multi Session (Linux only).

Default is true.

Server.MultiSession.GPUForwarding.NumGPUs#

When this variable is set to a value higher than zero, the server will assume that this number represents the number of screens available on the X11 server. This might help when the X11 monitor setup is not detected by the server. For more details see Multi Session (Linux only).

Default is 0.

Server.MultiSession.MaxClients#

This variable limits the maximum number of client sessions started by the server. Note that the number of client sessions might be larger than the number of currently connected clients, as sessions are not stopped when clients disconnect.

Default is 8.

Server.MultiSession.PortNumbersBegin#

This variable defines the minimal port number a connecting client can get assigned to. Use this and the following value to limit the number of ports open on the firewall.

Default is 9200.

Server.MultiSession.PortNumbersEnd#

This variable defines the highest port number a connecting client can get assigned to. A value of -1 indicates that the highest port number is determined by adding the values of the lowest and the number of clients (Server.MultiSession.MaxClients).

Use this and the previous value to limit the number of ports open on the firewall.

Server.MultiSession.DisplayIDsBegin#

This variable defines the start value of the range of X11 display ids used for the private X11 servers of the clients.

Default is 32.

Server.MultiSession.DisplayIDsEnd#

This variable defines the end value of the range of X11 display ids used for the private X11 servers of the clients.

Default is 128.

Server.MultiSession.Service.GracePeriod#

This variable sets a grace period after which guest sessions are terminated when they are shut down by the GUI or when the host server stops.

Default is 30.

Server.MultiSession.Secure.HidePIDs.Enabled#

When this variable is set to true, the server will unshare(1) the filesystems of the host server and remount the /proc filesystem after the X11 session has been started but before the guest user is admitted to the system.

Default is false.

Server.MultiSession.Secure.HidePIDs.GroupID#

This variable defines a Linux group, which allows its users to see all pids in the /proc filesystem.

See Security for more details.

Default is empty.

Server.MultiSession.Secure.PrivTmp.Enabled#

When this variable is set to true, the server will start the guest user service with the option --property=PrivateTmp=yes. This way the services gets spawned after fresh filesystems have been mounted on the /tmp and /var/tmp directories. After the service is stopped, the filesystems are discarded.

Default is true.

Server.MultiSession.Service.Options#

With this variable administrators can customize the settings of guest user services. The value will be added to the call of systemd-run(1), which is used to start the guest services. While the setting --property=PrivateTmp=yes can be set using Server.MultiSession.Secure.PrivTmp.Enabled, other options are available, e.g. assignment of different slices. For a full list check the manual page of systemd-run(1), the version of the installed systemd, and the online documentation.

Additional considerations should be made when changing the service to a transient scope unit or the uid of the service. This advanced configuration should only be made when fully understood.

Default is not set.

Server.MultiSession.VideoOptimizations#

When this variable is set to true, the server will directly access the framebuffer from the X11 server. On some systems, certain resolutions cause the host server to lose sync with the X11 server. In these cases the video gets distorted. By setting this variable to false the server will operate normally again.

Default is true.

Server.MultiSession.Debug#

When set to true the guest server will create log files for the X11 server and the Gnome window manager. In addition, the log level of the guest server will be set to debug. As setting this to true will slow down the guest server and produce large log files, use this setting with care.

Default is false.

Server.MultiSession.Guests.MaxIdleTime#

After a client disconnects, the session is maintained for the number of seconds defined by this setting. A value of -1 disables this timeout mechanism.

Default is 86400.

Server.MultiSession.Guests.DefaultWidth#

Defines the default width of the guest X11 server’s display.

Default is 1440.

Server.MultiSession.Guests.DefaultHeight#

Defines the default height of the guest X11 server’s display.

Default is 900.

Server.MultiSession.Guests.Pixels#

Defines the color pixels of the guest X11 server’s display (Xephir).

Default is 24.

Server.MultiSession.Guests.DPI#

Defines the DPI of the guest X11 server’s display.

Changing this value is not recommended.

Default is 96.

Server.MultiSession.Guests.LogViewer.Enabled#

The server of the guest session has a special logfile. This is by default located in the home directory of the guest session user. Set to true to show a link to the guest server’s logfile.

Default is false.

Server.MultiSession.Guests.Config.Enabled#

Setting this value to true enables the users of guest session to define individual resolutions of their sessions. To limit the values based on the processing capabilities, see the following two settings.

Default is true.

Server.MultiSession.Guests.Config.MaxWidth#

When guest users are enabled to change the resolutions of their sessions, a system administrator can limit the maximal width a user can define.

Default is 2560.

Server.MultiSession.Guests.Config.MaxHeight#

When guest users are enabled to change the resolutions of their sessions, a system administrator can limit the maximal height a user can define.

Default is 1600.

Server.MultiSession.Guests.Config.AdvancedSettings#

When Server.MultiSession.Guests.Config.Enabled is set to true this setting will enable a UI control to assist the users with defining the desired resolution.

Default is true.

Server.MultiSession.Custom.MinimizeGuestWindow#

When running Xephir as X11 server for the guest session, setting this variable to true closes the guest X11 server’s window.

Default is false.

Server.MultiSession.WindowManager.LogFile#

The setting defines the log file path of the window manager of the guest Gnome window manager.

Default is ~/.ice-remoteware/log/window-mgr.log.

Server.MultiSession.XServer.LogFile#

The setting defines the log file path of the window manager of the guest X11 server.

Default is ~/.ice-remoteware/log/xserver.log.

Server.MultiSession.AllowLongRunningProcesses#

When set to true the host server will stop all processes spawned by the user after the guest session is terminated. When set to false only processes related to the X11 session will be shutdown.

Default is false.

Server.MultiSession.SecureAdminLogin#

When set to true the host server will disable guest access to the server when an unlocked X11 session on the host is running. This prevents any undesired interaction of the host user’s session with any guest sessions.

See Security Considerations with GPU Forwarding for more details.

When GPU sharing is enabled (Server.MultiSession.GPUForwarding.Enabled) it is advisable to set this to true.

Default is false.

Server.Network#

Server.Network.Port#

The port number used by the server.

Defaults to 443 if Server.Network.Secure is true or 80 if Server.Network.Secure is false.

Server.Network.Secure#

Determines if the server operates over HTTPS (recommended).

Defaults to true.

Server.Network.Address#

When set, the server binds its network interface to the given address.

Not set by default.

Server.Network.RedirectHTTP#

If set to true, the server opens the HTTP port 80 and redirects all requests to the HTTPs port 443. When the port 80 is taken, it logs an error and continues.

Default is true.

Server.Network.UseIPv4#

If set to true, server listens on IPv4 addresses for client requests.

Defaults to true.

Server.Network.UseIPv6#

If set to true, server listens on IPv6 addresses for client requests.

Defaults to true.

Server.Network.Timeouts.Receive#

Sets the timeout (in seconds) used in the server when receiving messages from clients. If the network is unstable, a higher value can improve the user experience as connections will be maintained longer. However, it will then take longer to discover when a client is permanently disconnected.

Defaults to 4.0.

Server.Network.Timeouts.VideoSend#

Sets the timeout (in seconds) used in the server when sending the video stream to the clients. If the network is unstable, a higher value can improve the user experience as connections will be maintained longer. However, long delays when sending video frames will lead to a large backlog of frames, which is very noticeable to the user.

Defaults to 8.0.

Server.Network.Timeouts.Connect#

Sets the timeout (in seconds) used during the connection phase of the client. Increasing this value might help when a very slow or overloaded server takes too long to respond to initial setup requests.

Defaults to 8.0.

Server.Network.Access.Logger.Enabled#

Enables logging of connection requests.

Defaults to true.

Server.Network.Access.Logger.FileName#

Sets the log file to log connection requests.

Defaults to ice-remoteware-access.log.

Server.Network.Access.IPAllowList#

A comma-separated list of network/host addresses that the server will match incoming client request against to determine if the client is allowed to connect.

When this list is empty, all clients are allowed to connect. Otherwise only clients with matching addresses are allowed to connect.

<IPAllowList>86.4.0.0/16,86.5.0.0/16,2001:0db8:3c4d:0015:0000:0000:0000:0000/64,2001:db8:3c66:25::1a2f:1a2b/64</IPAllowList>

Not set by default.

Server.Network.Access.IPDenyList#

A comma-separated list of network/host addresses that the server will match incoming client request against to determine if the client will be refused to connect.

When this list is empty, all clients are allowed to connect. Otherwise clients with addresses in this list are blocked.

<IPDenyList>86.4.0.0/16,86.5.0.0/16,2001:0db8:3c4d:0015:0000:0000:0000:0000/64,2001:db8:3c66:25::1a2f:1a2b/64</IPDenyList>

Not set by default.

Server.Network.KeepAlive.Enabled#

When set to true, all connections set the TCP keep alive flag. This prevents aggressive firewalls from dropping the connections when the session is idle for a while.

Default is true.

Server.Network.KeepAlive.IdleTimeout#

Set the value for the TCP keep alive idle timeout.

Default is 20.

Server.Network.KeepAlive.Interval#

Set the value for the TCP keep alive interval.

Default is 4.

Server.QoS#

Server.QoS.Enabled#

Enables the automatic adjustment of frame rate to adapt to current performance conditions. Frame rate will start at Server.Video.Encoding.H264.StartFrameRate and jump between Server.Video.Encoding.H264.MinFrameRate and Server.Video.Encoding.H264.MaxFrameRate.

Setting this to false will cause the server to send a constant frame rate specified by Server.Video.Encoding.H264.StartFrameRate. Server.Video.Encoding.H264.MinFrameRate and Server.Video.Encoding.H264.MaxFrameRate are ignored in this case.

Defaults to true.

Server.QoS.MaxBitRate#

The variable controls the maximal outgoing average bandwidth of all connected clients. Due to sudden changes in the video stream this value is a target value which is not always reached.

Defaults to 100g.

Server.QoS.Debug.Enabled#

If set to true, the server reports very detailed statistics generated by the QoS algorithm. When enabled, this reporting puts a considerable load on the server and the log files fill up quickly.

Defaults to false.

Server.UserNotifications#

See User Notifications

Server.UserNotifications.Enabled#

If set to true, the server notifies the OS user of certain events. For example, when a user or USB device is connected or disconnected.

Default is true

Server.UserNotifications.Timeout#

Only available in Windows and Linux

Controls the time (in seconds) a user notification is shown.

Default is 4

Server.Video#

Video streaming related settings.

Server.Video.Encoding.H264.AvgBitRate#

Used to improve image quality at the cost of using more bandwidth.

The average video bit-rate is calculated by using a linear regression of two values based on the resolution of the screen and the number of bits per second, respectively. For more information, see Configure Video Bit-Rate

Defaults to 1280x720=3000k,1920x1080=6000k.

Updated in v9.1.9. Increased defaults.

Server.Video.Encoding.H264.StartFrameRate#

Initial frame rate. Measured in frames per second.

Defaults to 24.

Added in v2.2.0.

Server.Video.Encoding.H264.MinFrameRate#

The lowest valid frame rate for a connection. Measured in frames per second.

Defaults to 2.

Added in v2.2.0.

Server.Video.Encoding.H264.MaxFrameRate#

The highest allowable frame rate for a connection. Measured in frames per second.

Defaults to 30.

Windows using the default windda video source and ARM-based Mac servers can support frame rates up to 60.

Added in v2.2.0.

Server.Video.MaxWidth#

Any server-side video that exceeds this width is scaled down to this value. This is primarily used to prevent clients from receiving video with resolutions so high that the client cannot process them fast enough.

A value of -1 disables this threshold.

Defaults to 2560.

Updated in v5.0.0. Changed default.

Server.Video.MaxHeight#

Any server-side video that exceeds this height is scaled down to this value. This is primarily used to prevent clients from receiving video with resolutions so high that the client cannot process them fast enough.

A value of -1 disables this threshold.

Defaults to 1600.

Updated in v5.0.0. Changed default.

Server.Video.Lossless.Enabled#

Enables lossless video streaming within the Native Client. It doesn’t have any effect on clients connected with a web browser.

Defaults to true.

Server.Video.Refresh.Intra#

When enabled the server will not send a single I-Frame to refresh the clients’ decoders but spread the stream information over a set of frames. This way peaks in bandwidth consumption are avoided.

Defaults to true.

Server.Video.Refresh.Rate#

When this setting is set to a value higher than zero the server will update the clients’ decoders by sending periodically an I-Frame to refresh their decoding state. This setting is measured in seconds.

Defaults to 4.

Server.Video.VideoSource#

The video capture mechanism. The ICE RemoteWare software currently supports these video sources: x11, nvfbc, stream, windda, and default.

The x11 video source uses software encoding and only works for Linux systems. It supports a max frame rate of up to 60 fps.

The nvfbc video source is for Linux systems with an NVIDIA GPU and driver that support NVIDIA GRID or NVIDIA NvFBC. It supports a max frame rate of up to 60 fps.

The windda video source is optimized for Windows and supports a max frame rate of up to 60 fps.

The stream video source uses software encoding and is available on all operating systems. This video source supports a max frame rate of up to 60 fps on ARM-based Macs and 30 fps on all other systems.

The default video source selects the default video source for your system, on Windows systems windda, on Linux systems, x11``and on MacOS systems ``stream is selected.

Changed in v15.0.3. Previously named Server.VideoSource, added ``default``, deprecated ``auto``

Changed in v12.2.0. Added nvfbc.

Server.VirtualHere#

Server.VirtualHere.Enabled#

Enables USB forwarding via VirtualHere. Check your license to determine if this feature is available.

Default is true.

Server.VirtualHere.AllowedUsbDevices#

A comma-separated list of USB device names (or parts of device names) that the server will match against to allow USB forwarding from clients. When this list is empty, all USB devices are allowed to be forwarded.

For example, the following setting in the configuration file would allow the server to only accept USB devices that have the word Wacom or Speedline in their name:

<AllowedUsbDevices>Wacom,Speedline</AllowedUsbDevices>

Server.VirtualHere.UsbDevicesWithRemoteCursor#

A comma-separated list of USB device names (or parts of device names) that trigger the server to show the cursor on the server as part of the video stream. This is very useful when working with a USB tablet as these devices will not update the local cursor when connected to the server.

Default is Wacom,Huion,Xencelabs,XP-PEN,Intuos.

Server.Web#

Server.Web.Caching.Enabled#

When set to true, the server uses the HTTP cache control mechanism to limit network traffic.

Default is true.

Server.Web.PathPrefix#

The value of this variable is used as a prefix for the server URIs. This can be used to filter the requests in a multiplier.

Variable is not set by default.

Server.Web.CookiesSameSite#

Sets the same site property of the cookies used during the session. Accepted values are strict, lax, none, auto.

Warning

Make sure you understand the security implications when changing this value.

Default is auto.

Server.X11#

See Multi Server (Linux only)

Server.X11.Display#

When set the server will connect to the specified display id, :1. Otherwise the default display id will be assumed.

Default is not set.

This is a setting for specialized setup and very old installations. Please use Server.X11.Seat

Server.X11.Seat#

When set the server will connect to the specified seat, which identifies an X11 instance. Linux only

Set the X11 seat that the server should connect to.

Defaults to seat0.

openSSL#

HTTPs security settings, see HTTPS / SSL Certificates

All elements within the openSSL tag are described in the Poco SSLManager documentation.

openSSL.server.privateKeyFile#

The path to the file containing the private key for the certificate in PEM format (or containing both the private key and the certificate). This path can be absolute or relative to the XML config file. Required for HTTPS support.

openSSL.server.certificateFile#

The path to the file containing the server’s or client’s certificate in PEM format. Can be omitted if the file given in privateKeyFile contains the certificate as well. This path can be absolute or relative to the XML config file.

openSSL.server.verificationMode#

Specifies whether and how peer certificates are validated. See the Poco Context class for details. Valid values are none, relaxed, strict, and once.

Defaults to none.

Changed in v3.0.0. Default value changed.

openSSL.server.loadDefaultCAFile#

Boolean value. Specifies whether the built-in CA certificates from OpenSSL are used.

Defaults to true.

openSSL.server.cipherList#

Specifies the supported ciphers in OpenSSL notation.

Changed in v3.0.0. Default value changed.

openSSL.server.privateKeyPassphraseHandler.name#

The name of the Poco class used for obtaining the passphrase for accessing the private key. If your private key does not use a passphrase, this value is ignored.

Defaults to KeyFileHandler.

Added in v2.2.0. Default value changed.

openSSL.server.privateKeyPassphraseHandler.options.password#

The private key passphrase. This setting is ignored if there is no passphrase for the private key.

openSSL.server.invalidCertificateHandler.name#

This should be set to ConsoleCertificateHandler. The name of the class used for confirming invalid certificates.

Defaults to RejectCertificateHandler.

Added in v2.2.0. Default value changed.

openSSL.server.cacheSessions#

This should be set to false. Enables or disables session caching.

openSSL.server.extendedVerification#

Enable or disable the automatic post-connection extended certificate verification.

openSSL.server.requireTLSv1_2#

Require a TLSv1.2 connection.

Defaults to true.

Added in v2.2.0. Default value changed.

openSSL.client.verificationMode#

Specifies whether and how peer certificates are validated when the server acts as a client to a third-party host. See the Poco Context class for details. Valid values are none, relaxed, strict, and once. Defaults to relaxed. Setting this value to none is not recommended.

Added in v3.0.0.

openSSL.fips#

Enable or disable OpenSSL FIPS mode. Only supported if the OpenSSL version that this library is built against supports FIPS mode.