Nick, I think as it stands today (and unless a patch is forthcoming pretty quickly), VNC fails your business requirements for the time being.
Use ConnectPriority=2 on the *server*. However, there's an outstanding bug that allows VNC clients to come in as "shared", and view this connection but not take over it, when connectpriority is 2. ConnectPriority instructions: In TightVNC, there is a radio button group in the Advanced dialog. Set "Refuse concurrent connections". In normal AT&T WinVNC (I think, I could be wrong), this has to be done using a registry editor. HKLM\ORL\WinVNC3\ConnectPriority REG_DWORD 2 The default value for this is 0 - disconnect existing sessions. If this doesn't secure your site adequately, I would suggest rdesktop on the Unix boxes to connect to the Terminal Services Administration mode (installed by default in win2k and .NET server). This allows two concurrent users, as well a third on the console. If you need more, then add the TS licensing component and buy some TS licenses from your MS vendor. I suggest using about 512 MB of RAM to a box that has 20 simultaneous users and 1 GB to a box that has about 50 users. It's a good idea for this box to be a dual proc if you're going for 50 users. With any dual PIII or Xeon's this will be fine for normal office work - 2K is *very* good at sharing program images like IE and Office. Even with 50 users, you'll still get sub-second launch times for Word, Outlook, etc*. http://www.rdesktop.org/ I know it's not VNC, but it does satisfy your business requirements to not show a particular session. However, users must be trained to log out, not "disconnect" their session when using rdesktop. Disconnect allows the session to be resumed by another user successfully authenticating to the same user. If the HR person logs on as "alice" and Joe Bob logs on as "joe bob", then there's no problem - Joe Bob cannot take over the disconnected "alice" session. Andrew * I did the security audits and some of the security architecture on this: http://optusbusiness.com.au/00/01/00/000100fb.asp?spid=423 The global predecessor before C&W offloaded C&W Optus to Singtel. http://www.cwas.net/ (site down when I went there :-( ) Some very large sites use CWaS. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Nick Stock Sent: Wednesday, 20 March 2002 8:41 PM To: [EMAIL PROTECTED] Subject: Restricting access Hi All, [snip] I cannot find any way to easily restrict the windows box to one connection at a time. The "-noshared" option with "ConnectPriority=2" is only useful if everyone uses it and there is no practical way to police a client side requirement. --------------------------------------------------------------------- To unsubscribe, mail [EMAIL PROTECTED] with the line: 'unsubscribe vnc-list' in the message BODY See also: http://www.uk.research.att.com/vnc/intouch.html ---------------------------------------------------------------------
