AquaConnect helps Macs, others share desktop apps

Terminal servers are nothing new in the computing world, particularly for enterprise environments. Citrix and Windows Terminal Services have been around for well over a decade. While terminal servers may not be new, their host operating systems (those that are available to connect users to the server) have, by and large, been versions of Windows. Last fall, a new company called AquaConnect did something unheard of: It unveiled the first Mac terminal server the world had ever seen.

What Mac users can gain from a terminal server

Terminal servers offer systems administrators a unique opportunity: Users from a variety of platforms and devices can connect to a server to view and access a desktop environment complete with applications. Behind the scenes, it's actually a session running on the server while the client merely transmits the user's keyboard and mouse interactions to the server. In turn, the server transmits a live view of the desktop and applications back to the client.

Terminal servers thus allow clients (typically low-powered workstations or inexpensive thin clients) to access a variety of applications and tools, and the software doesn't need to be deployed anywhere other than on the server itself. They also allow users of low-powered machines to access software beyond the capabilities of those machines and can even be used -- as in the case of Citrix's Web interfaces or Mac client software -- to access other operating systems.

Terminal servers' ability to support low-powered machines as well as inexpensive thin-client devices means they're often viewed as a cost-cutting solution. However, their ease of deployment also makes them an attractive alternative to the challenges of deploying applications (and indeed fully configured operating systems) across a large number of workstations. Finally, they can provide secure access to resources by limiting the number of ports that need to be opened in a network's firewall for remote clients to connect and access a variety of services.

As I said earlier, none of the this information or technology is particularly new to many Windows administrators. But for Mac or multiplatform administrators, the idea of a Mac OS X terminal server is completely revolutionary. Until now, any terminal service involving Macs has been to connect to mostly Windows-based terminal servers. Citrix has offered a Mac client, which predates Mac OS X, since the '90s.

Connecting Macs to a Windows environment has had its place, particularly as a means of providing access to Windows software before Apple's transition to Intel processors. But nobody before AquaConnect has provided a way to deploy Mac applications via a terminal server or provided access to the Mac OS X environment from an alternate platform.

AquaConnect now brings those capabilities to Mac OS X Server. Administrators can install AquaConnect on a Mac OS X Server machine, load up all the applications that they want Mac or PC clients to access, and then make those available over the network.

This setup presents a whole host of new options for Mac network environments. In addition to allowing for easy software deployment, the ability to connect from virtually any computing platform provides a powerful option for making any number of current Mac OS X applications available to users with a limited investment. In other words, users need not update their Mac hardware or switch to the Mac platform from existing PCs to be able to access the new Mac applications.

Some background details and notes on future plans

Now that we've covered what AquaConnect is, let's move on to some basic information about how it works. AquaConnect installs as terminal server components built for Mac OS X Tiger Server. At present, Leopard Server isn't supported because of a number of changes to the Mac OS X Server frameworks in Leopard and Leopard Server, but AquaConnect is working on Leopard Server compatibility in a upcoming release that is also expected to feature additional enhancements that will be noted throughout this review.

Currently, clients connect to an AquaConnect server using the RFB protocol through a VNC ( Virtual Network Computing ) client. Any VNC viewer can be used, including the open-source Chicken of the VNC for Mac OS X and RealVNC for Windows. Client access from other platforms, including mobile devices and Java- or Web-based VNC viewers, is also supported, though screen dimensions and access speeds can be issues on mobile devices.

The reliance on VNC has its pros and cons. On the one hand, VNC is ubiquitous and makes AquaConnect completely client-agnostic. On the other hand, VNC doesn't provide the best performance compared with similar remote-access protocols, and it provides no real built-in security or encryption functionality. AquaConnect has licensed the RDP protocol from Microsoft for future releases. In fact, plans for the upcoming second-generation release will rely on RDP and the Unix X11 windowing environment instead of VNC, which should boost both security and performance.

In the meantime, some of the security concerns about VNC can be handled by tunneling the VNC connection through a secure connection such as a VPN or using SSH port-forwarding. Likewise, SSL can be used to secure a connection if security certificates are configured on the client and server. SSL, of course, requires that the VNC clients used to connect to the server support SSL.

Also missing in the current release is support for client hardware (such as a Mac's built-in iSight camera and local drives), for viewing video or listening to audio, and for complex OpenGL graphics. None of these issues is particularly surprising for an early-generation terminal server. In fact, given the potential bandwidth usage of things like audio, video or complex graphics, one might prefer to avoid offering them from a terminal server altogether.

Likewise, limiting client devices from interacting with a server could be viewed as a good thing from an overall security perspective (though the lack of access to local files and printers could equally be viewed as a downside).

Installing AquaConnect

Like Mac OS X Server itself, AquaConnect can be installed on a wide variety of Apple hardware. Essentially any machine that meets the Tiger Server system requirements will be able to run AquaConnect. The company does recommend a base RAM of 256MB for PowerPC hardware and 512MB for Intel hardware, as well as 128MB and 256MB per user session for Power PC and Intel servers, respectively.

The software is also optimized to take advantage of the hardware in Apple's Mac Pro and Intel's Xserve machines, which AquaConnect says results in higher performance for multiple user sessions on this hardware compared with other Apple hardware.

Like most installer applications, the process of installing AquaConnect is extremely simple. It can be done using either a graphical installer or a command-line tool. Internet access is required during installation to verify a license key against the company's license-key server.

Some initial configuration can be done during the install process, but the bulk of configuration and administration is done via a pane installed into the Mac OS X System Preferences utility. This is actually a bit of a surprising choice, given that System Preferences is largely unused when configuring and managing Mac OS X Server. Although I would have expected to see the installation of a stand-alone management tool, the System Preferences pane does provide all the needed functionality.

The AquaConnect pane is installed in the "Other" section of System Preferences on the server and contains a series of tabs, including Users, Admins, Terminal Options and Server Information.

After launching System Preferences and selecting the pane, you will need to authenticate to AquaConnect using an AquaConnect admin account (I'll get to user and admin accounts shortly). This is done by selecting or entering the server address (or DNS name) in the Host field/pop-up menu. Once the server has been selected, you'll be asked to authenticate. The host selection and authentication process is not the most intuitive at first, but neither is it particularly problematic.

The Terminal Options tab mirrors some of the options that can be set from the AquaConnect installer, including the port used for VNC connections (by default 5900) and the bit depth and resolution of the display that clients see when connected. The Server Information tab simply displays information about the server and its license.

Managing users

AquaConnect user sessions are established using either local accounts created on the server or accounts in a shared directory to which the server is bound (including Apple's Open Directory or Microsoft's Active Directory). This allows AquaConnect to function as a stand-alone server, with only a local set of user accounts, or to integrate with a larger directory services infrastructure.

Whether user accounts are local or part of a larger directory system, the creation and management of accounts are largely separate from AquaConnect's configuration pane in System Preferences. Instead, these tasks are done in the appropriate tool for the directory platform ? typically Mac OS X Server's Workgroup Manager. For user accounts specific to AquaConnect, the only option is to enable an existing user account to connect for a terminal session.

The Users tab contains a list of user accounts (including the user's short or log-in name, full name and the date/time of his or her last terminal sessions) available to the server ? either local accounts or those in a shared directory system. The same tab allows an administrator to enable each account to access a terminal session via a checkbox. The tab also includes a button to disconnect a selected user from the server and a slider to adjust the priority users have to access system resources. The latter feature is helpful if you have a diverse group of users, including some who have more important or more resource-intensive needs.

A separate set of AquaConnect administrator accounts is maintained for access to manage the AquaConnect pane in System Preferences. These admin accounts are separate from any actual user accounts, including any local administrator accounts. By default, a single account with a password is created when AquaConnect is installed. Additional AquaConnect admin accounts can easily be created, and the password for each admin (including the default admin) can be reset.

This isn't an immediately intuitive approach, but once you are aware of it, it presents no major issue. The Admins tab lists the existing AquaConnect admin accounts and allows you to add or remove admin accounts or change a password.

It's interesting to note that when AquaConnect is used as a stand-alone server, if users rely solely on it for access to Mac OS X and Mac applications, the user experience is very similar to that for an Open Directory infrastructure with network home directories. They experience the same set of preferences and Mac OS X settings wherever they log in. And they have access to their files stored in their home folders, as well as access to the Public folder in one another's home folders and to the Shared Items folder on the server. Users can also access any other folders with appropriate administrator-defined permissions on the server.

Note: As part of the upcoming update to AquaConnect, a new, more streamlined and detailed management interface is planned.

Connecting to an AquaConnect server

The process of connecting to AquaConnect is the same as connecting to any device with an installed VNC server (though this will obviously change in future versions, when RDP or X11 will be used as a connection mechanism). Enter the IP address of the server (without a VNC password) and click "Connect." Unless you are using a nonstandard VNC port or one of the security options mentioned earlier, the VNC client requires no further configuration.

When a user connects, he or she will see the Mac OS X Server log-in window and can log in with an appropriate username and password. The log-in process will proceed as it would if users were physically sitting at the server; they will see the standard Mac OS X desktop. Although logged into Mac OS X Server, users will see the standard Mac OS X set of Dock items (i.e., none of the server administration tools).

Once connected, users can manipulate files and run applications as they would on any Mac. If users make any changes to their Mac OS X configuration, those changes will be retained between sessions. Changes can include adding items to the Dock, changing the desktop picture, creating files anywhere in the home directory, setting preferences for applications and so forth. If users are connecting with a directory services account with a network home folder, they will also see those changes if they log in at a Mac bound to the same directory domain.

One notable difference from standard Mac use is that if users inadvertently select Shut Down or Restart instead of Log Out from the Apple menu at the end of their sessions, they will see a dialog indicating that other people are using the server. They will then be given the options of shutting down or restarting if they enter an administrator username and password and a "Switch User" option.