AquaConnect helps Macs, others share desktop apps
Terminal servers are nothing new in the computing world, particularly for enterprise environments. Citrix and Windows Terminal Services have been around for well over a decade. While terminal servers may not be new, their host operating systems (those that are available to connect users to the server) have, by and large, been versions of Windows. Last fall, a new company called AquaConnect did something unheard of: It unveiled the first Mac terminal server the world had ever seen.
What Mac users can gain from a terminal server
Terminal servers offer systems administrators a unique opportunity: Users from a variety of platforms and devices can connect to a server to view and access a desktop environment complete with applications. Behind the scenes, it's actually a session running on the server while the client merely transmits the user's keyboard and mouse interactions to the server. In turn, the server transmits a live view of the desktop and applications back to the client.
Terminal servers thus allow clients (typically low-powered workstations or inexpensive thin clients) to access a variety of applications and tools, and the software doesn't need to be deployed anywhere other than on the server itself. They also allow users of low-powered machines to access software beyond the capabilities of those machines and can even be used -- as in the case of Citrix's Web interfaces or Mac client software -- to access other operating systems.
Terminal servers' ability to support low-powered machines as well as inexpensive thin-client devices means they're often viewed as a cost-cutting solution. However, their ease of deployment also makes them an attractive alternative to the challenges of deploying applications (and indeed fully configured operating systems) across a large number of workstations. Finally, they can provide secure access to resources by limiting the number of ports that need to be opened in a network's firewall for remote clients to connect and access a variety of services.
As I said earlier, none of the this information or technology is particularly new to many Windows administrators. But for Mac or multiplatform administrators, the idea of a Mac OS X terminal server is completely revolutionary. Until now, any terminal service involving Macs has been to connect to mostly Windows-based terminal servers. Citrix has offered a Mac client, which predates Mac OS X, since the '90s.
Connecting Macs to a Windows environment has had its place, particularly as a means of providing access to Windows software before Apple's transition to Intel processors. But nobody before AquaConnect has provided a way to deploy Mac applications via a terminal server or provided access to the Mac OS X environment from an alternate platform.
AquaConnect now brings those capabilities to Mac OS X Server. Administrators can install AquaConnect on a Mac OS X Server machine, load up all the applications that they want Mac or PC clients to access, and then make those available over the network.
This setup presents a whole host of new options for Mac network environments. In addition to allowing for easy software deployment, the ability to connect from virtually any computing platform provides a powerful option for making any number of current Mac OS X applications available to users with a limited investment. In other words, users need not update their Mac hardware or switch to the Mac platform from existing PCs to be able to access the new Mac applications.
Some background details and notes on future plans
Now that we've covered what AquaConnect is, let's move on to some basic information about how it works. AquaConnect installs as terminal server components built for Mac OS X Tiger Server. At present, Leopard Server isn't supported because of a number of changes to the Mac OS X Server frameworks in Leopard and Leopard Server, but AquaConnect is working on Leopard Server compatibility in a upcoming release that is also expected to feature additional enhancements that will be noted throughout this review.
Currently, clients connect to an AquaConnect server using the RFB protocol through a VNC ( Virtual Network Computing ) client. Any VNC viewer can be used, including the open-source Chicken of the VNC for Mac OS X and RealVNC for Windows. Client access from other platforms, including mobile devices and Java- or Web-based VNC viewers, is also supported, though screen dimensions and access speeds can be issues on mobile devices.
The reliance on VNC has its pros and cons. On the one hand, VNC is ubiquitous and makes AquaConnect completely client-agnostic. On the other hand, VNC doesn't provide the best performance compared with similar remote-access protocols, and it provides no real built-in security or encryption functionality. AquaConnect has licensed the RDP protocol from Microsoft for future releases. In fact, plans for the upcoming second-generation release will rely on RDP and the Unix X11 windowing environment instead of VNC, which should boost both security and performance.
In the meantime, some of the security concerns about VNC can be handled by tunneling the VNC connection through a secure connection such as a VPN or using SSH port-forwarding. Likewise, SSL can be used to secure a connection if security certificates are configured on the client and server. SSL, of course, requires that the VNC clients used to connect to the server support SSL.
Also missing in the current release is support for client hardware (such as a Mac's built-in iSight camera and local drives), for viewing video or listening to audio, and for complex OpenGL graphics. None of these issues is particularly surprising for an early-generation terminal server. In fact, given the potential bandwidth usage of things like audio, video or complex graphics, one might prefer to avoid offering them from a terminal server altogether.
Likewise, limiting client devices from interacting with a server could be viewed as a good thing from an overall security perspective (though the lack of access to local files and printers could equally be viewed as a downside).
Like Mac OS X Server itself, AquaConnect can be installed on a wide variety of Apple hardware. Essentially any machine that meets the Tiger Server system requirements will be able to run AquaConnect. The company does recommend a base RAM of 256MB for PowerPC hardware and 512MB for Intel hardware, as well as 128MB and 256MB per user session for Power PC and Intel servers, respectively.
The software is also optimized to take advantage of the hardware in Apple's Mac Pro and Intel's Xserve machines, which AquaConnect says results in higher performance for multiple user sessions on this hardware compared with other Apple hardware.
Like most installer applications, the process of installing AquaConnect is extremely simple. It can be done using either a graphical installer or a command-line tool. Internet access is required during installation to verify a license key against the company's license-key server.
Some initial configuration can be done during the install process, but the bulk of configuration and administration is done via a pane installed into the Mac OS X System Preferences utility. This is actually a bit of a surprising choice, given that System Preferences is largely unused when configuring and managing Mac OS X Server. Although I would have expected to see the installation of a stand-alone management tool, the System Preferences pane does provide all the needed functionality.
The AquaConnect pane is installed in the "Other" section of System Preferences on the server and contains a series of tabs, including Users, Admins, Terminal Options and Server Information.
After launching System Preferences and selecting the pane, you will need to authenticate to AquaConnect using an AquaConnect admin account (I'll get to user and admin accounts shortly). This is done by selecting or entering the server address (or DNS name) in the Host field/pop-up menu. Once the server has been selected, you'll be asked to authenticate. The host selection and authentication process is not the most intuitive at first, but neither is it particularly problematic.
The Terminal Options tab mirrors some of the options that can be set from the AquaConnect installer, including the port used for VNC connections (by default 5900) and the bit depth and resolution of the display that clients see when connected. The Server Information tab simply displays information about the server and its license.
AquaConnect user sessions are established using either local accounts created on the server or accounts in a shared directory to which the server is bound (including Apple's Open Directory or Microsoft's Active Directory). This allows AquaConnect to function as a stand-alone server, with only a local set of user accounts, or to integrate with a larger directory services infrastructure.
Whether user accounts are local or part of a larger directory system, the creation and management of accounts are largely separate from AquaConnect's configuration pane in System Preferences. Instead, these tasks are done in the appropriate tool for the directory platform ? typically Mac OS X Server's Workgroup Manager. For user accounts specific to AquaConnect, the only option is to enable an existing user account to connect for a terminal session.
The Users tab contains a list of user accounts (including the user's short or log-in name, full name and the date/time of his or her last terminal sessions) available to the server ? either local accounts or those in a shared directory system. The same tab allows an administrator to enable each account to access a terminal session via a checkbox. The tab also includes a button to disconnect a selected user from the server and a slider to adjust the priority users have to access system resources. The latter feature is helpful if you have a diverse group of users, including some who have more important or more resource-intensive needs.
A separate set of AquaConnect administrator accounts is maintained for access to manage the AquaConnect pane in System Preferences. These admin accounts are separate from any actual user accounts, including any local administrator accounts. By default, a single account with a password is created when AquaConnect is installed. Additional AquaConnect admin accounts can easily be created, and the password for each admin (including the default admin) can be reset.
This isn't an immediately intuitive approach, but once you are aware of it, it presents no major issue. The Admins tab lists the existing AquaConnect admin accounts and allows you to add or remove admin accounts or change a password.
It's interesting to note that when AquaConnect is used as a stand-alone server, if users rely solely on it for access to Mac OS X and Mac applications, the user experience is very similar to that for an Open Directory infrastructure with network home directories. They experience the same set of preferences and Mac OS X settings wherever they log in. And they have access to their files stored in their home folders, as well as access to the Public folder in one another's home folders and to the Shared Items folder on the server. Users can also access any other folders with appropriate administrator-defined permissions on the server.
Note: As part of the upcoming update to AquaConnect, a new, more streamlined and detailed management interface is planned.
Connecting to an AquaConnect server
The process of connecting to AquaConnect is the same as connecting to any device with an installed VNC server (though this will obviously change in future versions, when RDP or X11 will be used as a connection mechanism). Enter the IP address of the server (without a VNC password) and click "Connect." Unless you are using a nonstandard VNC port or one of the security options mentioned earlier, the VNC client requires no further configuration.
When a user connects, he or she will see the Mac OS X Server log-in window and can log in with an appropriate username and password. The log-in process will proceed as it would if users were physically sitting at the server; they will see the standard Mac OS X desktop. Although logged into Mac OS X Server, users will see the standard Mac OS X set of Dock items (i.e., none of the server administration tools).
Once connected, users can manipulate files and run applications as they would on any Mac. If users make any changes to their Mac OS X configuration, those changes will be retained between sessions. Changes can include adding items to the Dock, changing the desktop picture, creating files anywhere in the home directory, setting preferences for applications and so forth. If users are connecting with a directory services account with a network home folder, they will also see those changes if they log in at a Mac bound to the same directory domain.
One notable difference from standard Mac use is that if users inadvertently select Shut Down or Restart instead of Log Out from the Apple menu at the end of their sessions, they will see a dialog indicating that other people are using the server. They will then be given the options of shutting down or restarting if they enter an administrator username and password and a "Switch User" option.
Although this dialog is reminiscent of Mac OS X's Fast User Switching, AquaConnect notes that Fast User Switching is not the basis for this AquaConnect functionality. In fact, Fast User Switching is not even supported with AquaConnect. The AquaConnect dialog merely indicates that the server is aware of and alerting users to the fact that other users are connected.
These issues should be addressed in the forthcoming release of the software but for now are considerations that administrators should take into account when working with the product. Using file and folder permissions is one solution, as is the use of options such as managed preferences or parental controls for configuring the Mac OS X user environment.
Performance and end-user experience
Performance for AquaConnect is pretty impressive, even on the most modest of hardware. Testing it on hardware even as basic as a PowerPC G4 Mac Mini yielded a system that could support a handful of users with no major performance issues when connected via 802.11g wireless or 100Mbit/sec. Ethernet. Applications ranged from Web tools like Apple's Safari Web browser through Microsoft Office for Mac and Apple's iWork, all the way up to Photoshop. They all had passable performance even on this very limited hardware.
Obviously, the more bandwidth that's available, the better the performance of any terminal server. In relatively small environments with a limited amount of network traffic, 802.11g and 100Mbit/sec. Ethernet appear adequate. In fact, in environments like a small office or a classroom with fewer than 10 connected workstations, performance is actually better than one might expect with live screen updates of text and graphics. This is true even when working with moderate-size Photoshop documents with multiple layers and filters.
That said, most environments -- particularly those with more than a handful of computers or devices -- will probably require Gigabit Ethernet to ensure reasonable performance.
Obviously, enterprise deployments will opt for much more powerful hardware, and Apple's Xserve provides an excellent platform for AquaConnect. Although using Office -- for example, on a low-end Power PC Mac Mini running AquaConnect -- led to fair performance, CPU usage for simple Word tasks being run through a single AquaConnect session resulted in about 35% CPU usage. Running on an Intel Xserve, CPU usage for most Intel-native applications with a single user was well below 10%.
Scaling usage patterns for AquaConnect in an enterprise environment is likely to require a fair amount of testing to determine the exact number of user sessions each server can realistically accommodate, depending on the precise mix of applications involved. The suggested RAM allotments per user session, which appear to be extremely realistic for most environments, are probably the best guide.
One thing worth noting with regard to performance and memory requirements is that AquaConnect has made strides in enabling the reuse of code and resources being accessed by multiple users. This means that if two users have open sessions and are running a similar set of applications, the actual system resources required by the server are not going to be doubled. This is an excellent feature, though again, it can make finding the precise mix of applications and number of realistically supportable users a little challenging without a fair amount of testing.
Overall, I have to admit that I am rather impressed with AquaConnect. It provides a stable and well-performing solution for providing terminal services from Mac OS X Server. It offers a surprising level of simplicity of setup and ease of use and manages to support a very broad base of clients. For an initial release of such a broad product, AquaConnect's engineers deserve a pat on the back.
This combination of attributes will make AquaConnect attractive to a number of organizations. It will be useful to those who are looking at options for cost-cutting or maintaining an existing Mac or dual-platform environment. It will be equally helpful to those who are just beginning to consider an investment in Mac OS X. In fact, Mac administrators considering AquaConnect will find themselves with many of the same opportunities and decisions that administrators considering Windows Terminal Services and Citrix have had for years.
On the other hand, it does show that AquaConnect is a relatively new product. From the lack of Leopard support, to the reliance on VNC, to the occasional interface elements where I've found myself saying something like "This isn't particularly intuitive, but...," it's clear that AquaConnect is still finding its footing in several respects. Probably the single biggest drawback to the product is potential access by non-admin users to features that one would prefer non-admin users not even see, including items like sleep, shut down and restart, even if a third-party product can be used to mitigate the issue.
To me, this doesn't readily rule the product out as a solution, but it does mean that implementing it should involve a good deal of planning and testing before use in a production environment. Many administrators, however, while impressed with AquaConnect as a whole, will probably find the best option to be to wait and see what the company does next rather to invest that effort at this time. If AquaConnect's forthcoming release demonstrates the same ingenuity of its initial offering, it will emerge as a serious option for most of those administrators.
Additional information on AquaConnect and registration for a free trial is available from the company's Web site. Slides from a MacEnterprise.org webcast, with additional technical details, are also available.
Ryan Faas is a freelance writer and technology consultant specializing in Mac and multiplatform network issues. In addition to writing for Computerworld, he is a frequent contributor to InformIT.com. Ryan was also the co-author of O'Reilly's Essential Mac OS X Panther Server Administration. You can find more information about Ryan, his consulting services and his recently published work at www.ryanfaas.com and can e-mail him at firstname.lastname@example.org.
The Computerworld (US) review, "AquaConnect helps Macs, others share desktop apps," which was posted to the newswire Wednesday, misstated in the 15th paragraph the amount of RAM recommended per user session by AquaConnect. That paragraph has been corrected.