KB 10000230516 – vSpace 8.4 & Server 2012r2 Best Practice.

vSpace 8.4 & Server 2012r2 Best Practice

Supported operating systems

Supported Server 2012 R2 variants include: Standard, Enterprise, and

Datacenter.
Note that only 64-bit versions of Windows operating systems are supported.

Supported NComputing access devices:

n L250, L300 and L350 with firmware version 1.11.17

n M300 with firmware version 2.2.16
n vSpace Client for Windows**, version 1.8.0
n vSpace Client for Chromebook**, version 1.2.0

Requirements before vSpace Server is installed:

• Operating system needs to be fully updated

• No Antivirus software*
• Joined to the domain if necessary
• Microsoft licensing fully configured
• The least amount of non-essential applications possible*

*After you have installed vSpace and configured the environment you can add
the Antivirus and necessary programs. See later in this document.

Page 1 of 30 Senthil Kumar P | Technical Manager APAC | 23-05-2016

 KB 10000230516 – vSpace 8.4 & Server 2012r2 Best Practice.

Changes to vSpace in v8.4

L-series Firmware:
vSpace Server 8.4.0.3 comes with L-series firmware version 1.11.17. For correct operation
with vSpace Server 8.4.0.3, and to ensure best performance and device management, all
L-series devices need to be upgraded to firmware version 1.11.17. Refer to ‘vSpace Server
8.4 Software and Firmware Update Guide’ for information about updating the device
firmware. M300 Support:
vSpace Server 8.4.0.3 comes with M-series firmware version 2.2.16. For correct operation
with vSpace Server 8.4.0.3, and to ensure best performance and remote management, all
M-series devices need to be upgraded to firmware version 2.2.16. Refer to ‘vSpace Server
8.4 Software and Firmware Update Guide’ for information about updating the device
firmware.
vSpace Management Center Independence:
vSpace Server 8.4 incorporates direct management, via NC-Console, to manage
NComputing L-series and M-series access devices without the necessity to deploy any
additional management server. vSpace Server 8.4, L-series devices with 1.11 firmware and
M-series devices with 2.2.16 firmware are not supported by vSpace Management Center.

Microsoft Licensing

For applications where multiple interactive users are simultaneously sharing a

single operating system, standard Microsoft Windows Server licensing applies.
This means that the shared host computer (or virtual machine) runs a Microsoft
Windows Server operating system.

In addition a Microsoft Windows Server Client Access License (WS CAL) and a
Microsoft Remote Desktop Services Client Access License (RDS CAL – formerly
known as a Microsoft Terminal Services Client Access License or TS CAL) are
required for each end-user or device that accesses Windows Server (and for the
host computer if the host computer is used as a user station).

**vSpace Client is supported for desktop session delivery only and does not
include the management options available for other access devices.

Page 2 of 30 Senthil Kumar P | Technical Manager APAC | 23-05-2016

 KB 10000230516 – vSpace 8.4 & Server 2012r2 Best Practice.

vSpace/RDS Organisational Unit

If you are incorporating a vSpace installation within a larger environment, you

may wish to create an OU for RDS/vSpace servers within Active Directory.

Group Policy Settings

Disable Server Manager popup at user log on:
On the server open Task Scheduler. Navigate to Task Scheduler
Library\Microsoft\Windows\Server Manager. Disable task “ServerManager” which
triggers at log on of any user.
If you have a Domain Controller older than Windows Server 2012 R2, you will
need to import Windows 8.1 and Server 2012 R2 Administrative Templates to
your Group Policy Management. This will give you a chance to use policies
designed for the latest MS operating systems.

• Download msi file from the following link: http://www.microsoft.com/en-

au/download/details.aspx?id=41193
• Double-click on msi file to unpack the Policy Definitions (default location is
C:\Program Files (x86)\Microsoft Group Policy\Windows 8.1-Windows
Server 2012 R2\PolicyDefinitions)
• Copy en-us folder (C:\Program Files (x86)\Microsoft Group Policy\Windows
8.1-Windows Server 2012 R2\PolicyDefinitions\en-us) and all admx files to
PolicyDefinitions folder
• Navigate to ‘C:\Windows\sysvol\domain\Policies’ and create a folder
PolicyDefinitions
• Close Group Policy console and re-open
• Check that new Server 2012 R2 group policy settings appeared (i.e. you can
see “Start Screen Layout” group policy object in ‘User Configuration \
Polices \ Administrative Templates \ Start Menu and Taskbar’

Page 3 of 30 Senthil Kumar P | Technical Manager APAC | 23-05-2016

 KB 10000230516 – vSpace 8.4 & Server 2012r2 Best Practice.

Loopback Processing
[Computer Configuration\Policies\Administrative Templates\System\Group
Policy]
Configure user Group Policy loopback processing mode: Enable – Merge
This policy setting directs the system to apply the set of Group Policy objects for
the computer to any user who logs on to a computer affected by this setting. It is
intended for special-use computers, such as those in public places, laboratories,
and classrooms, where you must modify the user setting based on the computer
that is being used.
 If you enable this setting, you can select one of the following
modes from the Mode box:
 “Replace” indicates that the user settings defined in
the computer’s Group Policy Objects replace the user settings normally applied
to the user.
 “Merge” indicates that the user settings defined in the computer’s
Group Policy Objects and the user settings normally applied to the user are
combined. If the settings conflict, the user settings in the computer’s Group
Policy Objects take precedence over the user’s normal settings.

Page 4 of 30 Senthil Kumar P | Technical Manager APAC | 23-05-2016

 KB 10000230516 – vSpace 8.4 & Server 2012r2 Best Practice.

Disable Control Panel Items

[User Configuration\Policies\Administrative Templates\Control Panel]
Hide specified Control Panel items: Enable
This setting allows you to display or hide specified Control Panel items, such as
Mouse, System, or Personalization, from the Control Panel window and the Start
screen. The setting affects the Start screen and Control Panel window, as well as
other ways to access Control Panel items, such as shortcuts in Help and Support
or command lines that use control.exe. This policy has no effect on items
displayed in PC settings.
 If you enable this setting, you can select specific items
not to display on the Control Panel window and the Start screen.
 To hide a
Control Panel item, enable this policy setting and click Show to access the list of
disallowed Control Panel items. In the Show Contents dialog box in the Value
column, enter the Control Panel item’s canonical name. For example, enter
Microsoft.Mouse, Microsoft.System, or Microsoft.Personalization.

Add following items to the disallowed Control Panel items:


Microsoft.AdministrativeTools

Microsoft.AutoPlay

Microsoft.ActionCenter

Microsoft.ColorManagement

Microsoft.DefaultPrograms

Microsoft.DeviceManager

Microsoft.EaseOfAccessCenter

Microsoft.FolderOptions

Microsoft.iSCSIInitiator

Microsoft.NetworkAndSharingCenter

Microsoft.NotificationAreaIcons

Microsoft.PhoneAndModem

Microsoft.PowerOptions

Microsoft.ProgramsAndFeatures

Microsoft.System

Microsoft.TextToSpeech

Microsoft.UserAccounts


Page 5 of 30 Senthil Kumar P | Technical Manager APAC | 23-05-2016

 KB 10000230516 – vSpace 8.4 & Server 2012r2 Best Practice.

Microsoft.WindowsFirewall

Microsoft.WindowsUpdate

Microsoft.DateAndTime

Microsoft.RegionAndLanguage

Microsoft.RemoteAppAndDesktopConnections

Install Application On Remote Desktop Server

Java
 Flash Player

Remove Administrative Tools and Powershell

Restrict access to Administrative tools

• Open RDS Lock Down Group Policy.
• Navigate to Computer Configuration >>> Policies >>> Windows Settings
>>> Security Settings
• Right click on File System, choose Add File… .
• In the Add a file or folder window, put
%AllUsersProfile%\Microsoft\Windows\Start
Menu\Programs\Administrative Tools in the Folder field and click OK.

Add a file or folder

• On the next window Database Security for
%AllUsersProfile%\Microsoft\Windows\Start
Menu\Programs\Administrative Tools\Server Manager.lnk remove

Page 6 of 30 Senthil Kumar P | Technical Manager APAC | 23-05-2016

 KB 10000230516 – vSpace 8.4 & Server 2012r2 Best Practice.

Users and check that Administrators have Full Access

Database Security for Server Manager.lnk

• On the Add Object window choose Configure this file or folder then
Propagate inheritable permissions to all subfolders and files. Click
OK.

Add Object

Page 7 of 30 Senthil Kumar P | Technical Manager APAC | 23-05-2016

 KB 10000230516 – vSpace 8.4 & Server 2012r2 Best Practice.

• Do the same for PowerShell shortcut (+ delete Creator Owner in database

security): %AllUsersProfile%\Microsoft\Windows\Start
Menu\Programs\System Tools\Windows PowerShell.lnk
• Do the same for Server Manager
shortcut: %AllUsersProfile%\Microsoft\Windows\Start
Menu\Programs\Administrative Tools\Server Manager.lnk
•
File Explorer Configuration

[User Configuration\Policies\Administrative Templates\Windows

Components\File Explorer]
Enable – Restrict A, B, C and D drives only: Hide these specified drives in
My Computer
This policy setting allows you to hide these specified drives in My Computer. This
policy setting allows you to remove the icons representing selected hard drives
from My Computer and File Explorer. Also, the drive letters representing the
selected drives do not appear in the standard Open dialog box. If you enable this
policy setting, select a drive or combination of drives in the drop-down list.
Enable – Remove Hardware tab
This setting removes the Hardware tab from Mouse, Keyboard, and Sounds and
Audio Devices in Control Panel. It also removes the Hardware tab from the
Properties dialog box for all local drives, including hard drives, floppy disk drives,
and CD-ROM drives. As a result, users cannot use the Hardware tab to view or
change the device list or device properties, or use the Troubleshoot button to
resolve problems with the device.
Enable – Hides the Manage item on the File Explorer context menu
Removes the Manage item from the File Explorer context menu. This context
menu appears when you right-click File Explorer or My Computer.
Enable – Remove Security tab
Removes the Security tab from File Explorer. If you enable this setting, users
opening the Properties dialog box for all file system objects, including folders,
files, shortcuts, and drives, will not be able to access the Security tab. As a
result, users will be able to neither change the security settings nor view a list of
all users that have access to the resource in question.

Disable Registry Modification

Page 8 of 30 Senthil Kumar P | Technical Manager APAC | 23-05-2016

 KB 10000230516 – vSpace 8.4 & Server 2012r2 Best Practice.

[User Configuration\Policies\Administrative Templates\System]

Enable – Prevent access to registry editing tools
Disables the Windows registry editor Regedit.exe. If you enable this policy setting
and the user tries to start Regedit.exe, a message appears explaining that a
policy setting prevents the action.

Configure Windows Installer and Windows Updates

[Computer Configuration\Policies\Administrative Templates\Windows

Components\Windows Installer]
Enable: Prevent users from using Windows Installer to install updates and
upgrades
This policy setting prevents users from using Windows Installer to install
patches. If you enable this policy setting, users are prevented from using
Windows Installer to install patches. Patches are updates or upgrades that
replace only those program files that have changed. Because patches can be
easy vehicles for malicious programs, some installations prohibit their use.
Enable Always: Turn off Windows Installer
This policy setting restricts the use of Windows Installer. If you enable this policy
setting, you can prevent users from installing software on their systems or permit
users to install only those programs offered by a system administrator. You can
use the options in the Disable Windows Installer box to establish an installation
setting.

[Computer Configuration\Administrative Templates\Windows

Components\Windows Update]
Enable: Do not display ‘Install Updates and Shut Down’ option
This policy setting prevents users from using Windows Installer to install
patches. If you enable this policy setting, users are prevented from using
Windows Installer to install patches. Patches are updates or upgrades that
replace only those program files that have changed. Because patches can be
easy vehicles for malicious programs, some installations prohibit their use.

[Computer Configuration\Administrative Templates\Windows

Components\Windows Update]

Page 9 of 30 Senthil Kumar P | Technical Manager APAC | 23-05-2016

 KB 10000230516 – vSpace 8.4 & Server 2012r2 Best Practice.

Enable: Do not display ‘Install Updates and Shut Down’ option

This policy setting allows you to manage whether the ‘Install Updates and Shut
Down’ option is displayed in the Shut Down Windows dialog box.
Disable: Allow non-administrators to receive update notifications
This policy setting allows you to control whether non-administrative users will
receive update notifications based on the “Configure Automatic Updates” policy
setting.

Additional Policies

[User Configuration/Policies/Administrative Templates/Start Menu and

Taskbar]
Go to the desktop instead of Start when signing in or when all the apps on a
screen are closed: Enable
This policy setting allows users to go to the desktop instead of the Start screen
when they sign in, or when all the apps on a screen are closed. This policy
setting applies to all versions of Windows, and versions of Windows Server with
the Desktop Experience installed.
If you enable this policy setting, users will always go to the desktop when they
sign in, or when all the apps on a screen are closed.

[User Configuration/Policies/Administrative Templates/Start Menu and

Taskbar]
Remove the Action Center icon: Enable
This policy setting allows you to remove the Action Center from the system
control area. If you enable this policy setting, the Action Center icon is not
displayed in the system notification area. If you disable or do not configure this
policy setting, the Action Center icon is displayed in the system notification area.

[User Configuration/Policies/Administrative Templates/Windows

Components/Windows Update]
Remove access to use all Windows Update features: Enable (0 = Do not show
any notifications)
This setting allows you to remove access to Windows Update. If you enable this
setting, all Windows Update features are removed. This includes blocking access

Page 10 of 30 Senthil Kumar P | Technical Manager APAC | 23-05-2016

 KB 10000230516 – vSpace 8.4 & Server 2012r2 Best Practice.

to the Windows Update Web site at http://windowsupdate.microsoft.com, from

the Windows Update hyperlink on the Start menu, and also on the Tools menu in
Internet Explorer. Windows automatic updating is also disabled; you will neither
be notified about nor will you receive critical updates from Windows Update. This
setting also prevents Device Manager from automatically installing driver updates
from the Windows Update Web site.
If enabled you can configure one of the following notification options:
0 = Do not show any notifications
This setting will remove all access to Windows Update features and no
notifications will be shown.
1 = Show restart required notifications
This setting will show notifications about restarts that are required to complete an
installation.

[User Configuration/Policies/Administrative Templates/Windows

Components/File Explorer]
Remove CD Burning features: Enable
This policy setting allows you to remove CD Burning features. File Explorer
allows you to create and modify re-writable CDs if you have a CD writer
connected to your PC. If you enable this policy setting, all features in the File
Explorer that allow you to use your CD writer are removed. If you disable or do
not configure this policy setting, users are able to use the File Explorer CD
burning features.
Note: This policy setting does not prevent users from using third-party
applications to create or modify CDs using a CD writer.

[User Configuration/Policies/Administrative Templates/Windows

Components/File Explorer]
Prevent access to drives from My Computer: Enable (choose the drives)
Prevents users from using My Computer to gain access to the content of
selected drives.
If you enable this setting, users can browse the directory structure of the selected
drives in My Computer or File Explorer, but they cannot open folders and access
the contents. Also, they cannot use the Run dialog box or the Map Network Drive
dialog box to view the directories on these drives.

Page 11 of 30 Senthil Kumar P | Technical Manager APAC | 23-05-2016

 KB 10000230516 – vSpace 8.4 & Server 2012r2 Best Practice.

To use this setting, select a drive or combination of drives from the drop-down
list. To allow access to all drive directories, disable this setting or select the “Do
not restrict drives” option from the drop-down list.
Note: The icons representing the specified drives still appear in My Computer,
but if users double-click the icons, a message appears explaining that a setting
prevents the action.
Also, this setting does not prevent users from using programs to access local
and network drives. And, it does not prevent them from using the Disk
Management snap-in to view and change drive characteristics.

[User Configuration/Policies/Administrative Templates/Windows

Components/Credentials User Interface]
Do not display the password reveal button: Enable
This policy setting allows you to configure the display of the password reveal
button in password entry user experiences. If you enable this policy setting, the
password reveal button will not be displayed after a user types a password in the
password entry text box. If you disable or do not configure this policy setting, the
password reveal button will be displayed after a user types a password in the
password entry text box.
By default, the password reveal button is displayed after a user types a password
in the password entry text box. To display the password, click the password
reveal button.
The policy applies to all Windows components and applications that use the
Windows system controls, including Internet Explorer.

[User Configuration/Policies/Administrative Templates/Windows

Components/AutoPlay Policies]
Turn off Autoplay: Enable (CD-ROM and removable media drives)
This policy setting allows you to turn off the Autoplay feature.
Autoplay begins reading from a drive as soon as you insert media in the drive. As
a result, the setup file of programs and the music on audio media start
immediately.

If you enable this policy setting, Autoplay is disabled on CD-ROM and removable
media drives, or disabled on all drives. This policy setting disables Autoplay on
additional types of drives. You cannot use this setting to enable Autoplay on
drives on which it is disabled by default. If you disable or do not configure this

Page 12 of 30 Senthil Kumar P | Technical Manager APAC | 23-05-2016

 KB 10000230516 – vSpace 8.4 & Server 2012r2 Best Practice.

policy setting, AutoPlay is enabled.

Note: This policy setting appears in both the Computer Configuration and User
Configuration folders. If the policy settings conflict, the policy setting in Computer
Configuration takes precedence over the policy setting in User Configuration.

[User Configuration/Policies/Administrative Templates/Windows

Components/Remote Desktop Services/Remote Desktop Connection]
Do not allow passwords to be saved: Enable
Controls whether a user can save passwords using Remote Desktop
Connection. If you enable this setting the credential saving checkbox in Remote
Desktop Connection will be disabled and users will no longer be able to save
passwords. When a user opens an RDP file using Remote Desktop Connection
and saves his settings, any password that previously existed in the RDP file will
be deleted. If you disable this setting or leave it not configured, the user will be
able to save passwords using Remote Desktop Connection.

Desktop Experience

Enabling Remote Desktop Services

This is now enabled through the Features section of Server Manager

The Desktop Experience feature allows you to install a variety of applications and
features that are provided in the Windows client operating system on your server
that is running a Windows Server operating system. If you are running Windows
Server 2012 R2, the following Windows 8.1 features are installed when you
install Desktop Experience:
• Windows Media Player
• Video for Windows (AVI support)
• Windows SideShow
• Disk Cleanup
• Sync Center
• Sound Recorder
• Character Map
• Snipping Tool
• Support for desktop apps

Page 13 of 30 Senthil Kumar P | Technical Manager APAC | 23-05-2016

 KB 10000230516 – vSpace 8.4 & Server 2012r2 Best Practice.

• Windows Store
• PC settings (adds Change PC settings to the Settings charm)
• The ability to play a slide show on your lock screen
• Integrated search (searches through the Search charm integrate results from
the local computer and the Internet through Bing)

Important: When you install Desktop Experience in Windows Server 2012 R2,
the integrated search is on by default. This feature sends information to
Microsoft. You can turn off the integrated search feature with the following steps:

To turn off integrated search

1 Open the Windows charm bar (WINDOWS+C)
2 Click Settings, click Change PC Settings, and then click Search & Apps.
3 In the Use Bing to search online section, move the slider to Off. Alternately,
in the Your Search Experience section, select Don’t get personalized
results from Bing.
Note: The Desktop Experience feature requires that you also install the
Graphical Management Tools and Infrastructure and Server Graphical Shell
features.

Media Foundation, which includes Windows Media Foundation, the Windows

Media Format SDK, and a server subset of DirectShow, provides the
infrastructure required for applications and services to transcode, analyze, and
generate thumbnails for media files. You can install Media Foundation separately
with Server Manager—but if you install the Desktop Experience feature, you
must install the Media Foundation feature as well.

Server Power Plan

When using vSpace Server, especially on desktop versions of Windows OS, the
Power Plan settings should be configured in a way, which will never allow the
hard disks to be turned off or the computer to enter the sleep or hibernation state
after a period of inactivity.

Using a physical host with AMD/ATI GPU

Page 14 of 30 Senthil Kumar P | Technical Manager APAC | 23-05-2016

 KB 10000230516 – vSpace 8.4 & Server 2012r2 Best Practice.

When using a physical host with AMD/ATI GPU it’s advisable to install the video
driver only, without the Catalyst Control Center (CCC.exe) utility. This would
prevent potential memory leak in AMD’s Catalyst Control Center which may
affect system instability.

Server Performance Options

To make these configuration changes, go to Control Panel, System, System

Properties > Advanced system settings > Performance Options.

To help ensure NComputing’s services are able to run properly, Data Execution
Prevention (DEP) should be set to “Essential Windows programs and
services only” in the Data Execution Prevention tab.

Additionally, in the Advanced tab, processor scheduling should be set

to ‘Programs’ and the virtual memory should be configured to be at least the
equal of the physical RAM.

In the Visual Effects tab there are many options available and the settings may
need to vary according to site requirements.

Remove IE Enhanced Security mode.

Open Server Manager. Go to Local server > Properties > IE Enhanced

Security and set to Off.

Disable “First Run” Page in Internet Explorer

To prevent all users from needing to go through the process of Internet

Explorer’s custom set up you can instead set the following registry values:
Launch the Group Policy Editor (Start > Run > “gpedit.msc”)

Page 15 of 30 Senthil Kumar P | Technical Manager APAC | 23-05-2016

 KB 10000230516 – vSpace 8.4 & Server 2012r2 Best Practice.

Navigate to [Computer Configuration > Administrative Templates >

Windows Components > Internet Explorer]
Double-click “Prevent running First Run wizard”
Set the value to “Enabled”

vSpace Console Performance Profiles

Within the vSpace Console, there are several settings that can be used to
optimize your product experience. These are found in the ‘System Settings’
area. There are, for the L-series, and separately for the M-series and vSpace
software client, Performance Profiles, of which there are several standardised
profiles, such as ‘L-Series on a High Speed Network’.

However, it is entirely possible to create you own profiles to suit particular

circumstances. Each profile is made up of around 20 settings, found in
the ‘Advanced' area all of which can be individually customised then saved to a
new profile name. Some of these are listed below:

Cursor Shadow - yes or no.

Show Window Content Whilst Dragging - yes or no.

Font Smoothing – The Option Enable Clear Type inside of Windows. This will
improve the appearance of text on certain types of monitors

Video Compression – If you’re experiencing performance issues due to the

network bandwidth needs of your L300 devices, you may limit multimedia stream
quality. The JPEG Compression Ratio is a percentage rating of quality. 95%
means maximum video quality, at highest bandwidth. 5% is minimum video
quality, with a respectively lower bandwidth requirement. It is important to note
that by decreasing video quality, the CPU assisted compression will cause an
increase in processor usage during video streaming events. In situations where
your network is robust enough to handle higher quality video, you may see
performance improvements by setting the video quality at maximum. The ideal

Page 16 of 30 Senthil Kumar P | Technical Manager APAC | 23-05-2016

 KB 10000230516 – vSpace 8.4 & Server 2012r2 Best Practice.

setting for your environment should be determined through your own

benchmarking.

Under the ‘Common’ tab in 'System Settings’ you can also configure such
things as:

Disconnected Sessions Clean-Up Timeout – vSpace has an automatic feature

which will end any “orphaned” sessions after a predetermined interval. This
interval can be increased or decreased to suit the needs of the environment.
Setting it to “0” will disable it, and orphaned sessions will remain logged in until
the server is rebooted.

Exclude a Program from Hardware Acceleration

If a program displays frequent “blue box” flickering, it may be desirable to disable

video streaming for that application. To do so, simply add the application’s
executable to the following registry key:
HKEY Local Machine > System > CurrentControlSet >Control > Multiuser >
ExcludeVideoPlayerNameList
Each program in the list must be separated by a semicolon. For example,
“explorer.exe;firefox.exe”. Many common applications are preconfigured during
vSpace installation.

Configuring Remote Desktop licensing on Windows

Server 2012 R2

When installing vSpace Server on a standalone Windows Server (not belonging

to Active Directory domain) the Remote Desktop Services will be automatically
enabled during vSpace Server installation.
When installing vSpace Server on a Windows Server joined to an Active

Page 17 of 30 Senthil Kumar P | Technical Manager APAC | 23-05-2016

 KB 10000230516 – vSpace 8.4 & Server 2012r2 Best Practice.

Directory domain the Remote Desktop Services must be enabled prior to vSpace
Server installation.

Configuring a Windows Server 2012 Remote Desktop Licensing server is

significantly different than configuring the same service on a Windows Server
2008 R2 system. Below are steps for configuring your Server 2012 RDS
Licensing server within a workgroup environment where the RDS Licensing
service must be setup on the system that is hosting your NComputing sessions,
and separate steps for a domain environment where a single licensing server can
be setup to service multiple vSpace sessions throughout the network.

Configuration 1: Workgroups

Small network configurations that do not involve a domain controller require that
the vSpace Server self-host its licensing. That is, each server should have the
Remote Desktop Services Licensing Service installed in addition to the vSpace
Server software. In this configuration, each vSpace Server manages the required
Windows licenses for its own access devices. Read the following steps carefully
to ensure this configuration is setup properly:

Install Remote Desktop Services Role (with License Server).

This is done through the “Roles and Features” GUI.
From Server Manager, click “Manage” and select “Add Roles and Features.”
Select “Role-based or feature-based installation.” *DO NOT* select the option
labeled “Remote Desktop Services installation.”
Select the local server on the next screen.
For “Roles”, find “Remote Desktop Services” and click Next. Skip thefollowing
Features list by clicking Next again.
From the Role Services menu, select “Remote Desktop Session Host” and
“Remote Desktop Licensing.” Each will generate a Roles and Features Wizard
popup menu. Simply click “Add Features” on each, without changing any of the
default settings. Click Next to proceed.
A restart will be required once the installation is complete. You may check the
automatic restart option at the top of the screen to initiate this restart
automatically once the installation process finishes. Click Install to begin the
installation process.

Page 18 of 30 Senthil Kumar P | Technical Manager APAC | 23-05-2016

 KB 10000230516 – vSpace 8.4 & Server 2012r2 Best Practice.

Configure local License Server component.

Activate Remote Desktop License Server. To do this, open the Start screen and
type “licensing manager” and select the “Remote Desktop Licensing Manager”
icon.
In the right hand pane, right-click the local server and select “Activate Server”.
Fill out appropriate information and proceed through each of the Wizard menus –
ensuring that you leave the “Start Install Licenses Wizard now” checkbox
checked when you reach the Completing the Activate Server Wizard screen.

Proceed through the Install Licenses menus as instructed by the Wizard, filling
out the licensing program details as appropriate for your deployment until all
licenses have been installed and the Wizard comes to an end. Close the wizard
once this process is complete.

Configure the computer’s Remote Desktop Session Host service to talk to the
computer’s own license server. This process will involve the use of PowerShell.

Logon to the vSpace Server as an administrator.

Open a PowerShell prompt as an administrator (the PowerShell icon is located in
the Windows Task Bar by default).
Click the Windows PowerShell icon or run PowerShell.exe to open the
Windows PowerShell command prompt.
Invoke the following series of commands on the PowerShell prompt.
Replace LicServer with the name, FQDN or IP address of your Remote Desktop
license server.

$obj = gwmi -namespace "Root/CIMV2/TerminalServices"

Win32_TerminalServiceSetting
$obj.ChangeMode(4)
$obj.SetSpecifiedLicenseServerList("LicServer")

Reboot the server.

Page 19 of 30 Senthil Kumar P | Technical Manager APAC | 23-05-2016

 KB 10000230516 – vSpace 8.4 & Server 2012r2 Best Practice.

Logon to the vSpace Server as an administrator again and run the following
PowerShell commands to verify the configuration and display the list of specified
license servers:

$obj = gwmi -namespace "Root/CIMV2/TerminalServices"

Win32_TerminalServiceSetting
$obj. LicensingType
$obj.GetSpecifiedLicenseServerList()

Note: Use ChangeMode(2) for per-device licenses or ChangeMode(4) for per-

user licenses.

Note: “LicServer” should be the local computer name. The quotes are required.

Close the PowerShell window once you have verified your configuration.

To check to make sure that the server is configured properly, open the Start
screen and type “licensing diagnoser” and select the licensing diagnoser. The
resulting screen will list currently available licensing servers under the “Remote
Desktop Services License Server Information” section. Select your licensing
server and an expanded “License Server Configuration Details” menu will drop
out below, listing the number of installed and available licenses.

Configuration 2: Domain / Active Directory

environment

A Domain environment necessitates that there be an independent Remote

Desktop Services Licensing Server. It can be configured the same way as the
steps above. In a domain environment the license server should not be used as a
session host, because it will generally be serving licenses to multiple session
host servers, and it’s a “standard best practice” to not use a server performing a
critical function for other systems as a vSpace session host.

Page 20 of 30 Senthil Kumar P | Technical Manager APAC | 23-05-2016

 KB 10000230516 – vSpace 8.4 & Server 2012r2 Best Practice.

On the designated License Server, repeat steps as from Configuration 1.

On your vSpace Server host(s), install the Remote Desktop Session Host role
(without license server role).
From Server Manager, click “Manage” and select “Add Roles andFeatures.”
Select “Role-based or feature-based installation.” *DO NOT* select the option
labeled “Remote Desktop Services installation.”
Select the local server on the next screen.
For “Roles”, find “Remote Desktop Services” and click Next. Skip the following
Features list by clicking Next again.
From the Role Services menu, select “Remote Desktop Session Host” with the
default settings.

A restart will be required once the installation is complete. You may check the
automatic restart option at the top of the screen to initiate this restart
automatically once the installation process finishes. Click Install to begin the
installation process.

Configure the vSpace host’s Remote Desktop Session Host service to talk to the
separate License Server. Once again, this is done through powershell.

Open a PowerShell prompt as an administrator

Type the following commands on the PS prompt, pressing Enter after each line

$obj = gwmi -namespace "Root/CIMV2/TerminalServices"

Win32_TerminalServiceSetting
$obj.ChangeMode(2)

Note: Use ChangeMode(2) for per-device licenses or ChangeMode(4) for per-

user licenses.

$obj.SetSpecifiedLicenseServerList("LicServer")

Page 21 of 30 Senthil Kumar P | Technical Manager APAC | 23-05-2016

 KB 10000230516 – vSpace 8.4 & Server 2012r2 Best Practice.

Note: “LicServer” should be the NETBIOS name, FQDN, or IP address of the

previously configured License Server. The quotes are required.

$obj.GetSpecifiedLicenseServerList()

Note: This command will show you the current config, which should have the
license server name in the output next to “SpecifiedLSList”. This will verify
whether the previous steps were completed correctly. You may close the
PowerShell window once you have verified your configuration.

To check to make sure that the server is configured properly, open the Start
screen and type “licensing diagnoser” and select the licensing diagnoser. The
resulting screen will list currently available licensing servers under the “Remote
Desktop Services License Server Information” section. Select your licensing
server and an expanded License Server Configuration Details menu will drop out
below, listing the number of installed and available licenses.

vSpace installation.
To ensure successful installation the vSpace Server Installer must be
launched from the system administrator’s account - only belonging to the
Administrators group is not enough.

vSpace Server Installer delivered in form of an MSI package should be launched

from administrator’s Command Prompt with the help of msiexec command:
C:\>msiexec /i vSpace_LSeries_x64.msi

The vSpace Server Installer launched by right-clicking the MSI file or selecting
the Install option will only finish successfully if the current user is the system
administrator.

Page 22 of 30 Senthil Kumar P | Technical Manager APAC | 23-05-2016

 KB 10000230516 – vSpace 8.4 & Server 2012r2 Best Practice.

Performing device firmware upgrades:

L-series Firmware

vSpace Server 8.4comes with L-series firmware version 1.11. For correct
operation with vSpace Server 8.3, and to ensure best performance and remote
management, all L-series devices need to be upgraded to firmware version 1.11.
Refer to ‘vSpace Server 8.4Software and Firmware Upgrade Guide’ for
information about upgrading the device firmware.

Upgrading device firmware in Direct mode using Boot Server for Miniterm
service
1 Open the NC-Console. Select the Devices node in the tree on the left hand
side. On the Devices list select the devices to be upgraded. Hold down the
Shift or Control key while selecting to select multiple devices. Right-click a
selected device and choose the Update Device Firmware Directly...
option from the pop-up menu.

Page 23 of 30 Senthil Kumar P | Technical Manager APAC | 23-05-2016

 KB 10000230516 – vSpace 8.4 & Server 2012r2 Best Practice.

In the Device Firmware Updater window select the Latest firmware radio
button and click the OK button to initiate the process.

Note: As the Boot Server for Minitrem is a UDP-based service it can only deliver
the firmware in Local Area Networks. The access devices and the vSpace Server
delivering the firmware must be located in the same IP subnet. For devices
located in remote subnets use the Direct mode with an FTP server.

Upgrading device firmware in Direct mode using FTP server Note: this
method allows performing firmware downgrades too.

Open the NC-Console. Select the Devices node in the tree on the left hand side.
On the Devices list select the devices to be upgraded. Hold down the Shift or
Control key while selecting to select multiple devices.

Right-click a selected device and choose the Update Device Firmware

Directly... option from the pop-up menu.

In the Device Firmware Updater window select the Selected firmware radio
button. Enter the FTP URL of the package file containing the desired firmware
version. Enter the FTP user name and password if necessary.

Page 24 of 30 Senthil Kumar P | Technical Manager APAC | 23-05-2016

 KB 10000230516 – vSpace 8.4 & Server 2012r2 Best Practice.

Note: The package file containing the desired device firmware must be uploaded
to the FTP server prior to performing the upgrade. This method allows upgrading
devices located in remote subnets. Click the OK button to initiate the process.

Migration scenarios

Different vSpace Server software and device firmware versions have different
management capabilities. The NC-Console contained in all vSpace Server
versions supports the Direct mode management, while Management Server
mode management is only available in certain versions - v7 - 8.1, firmware up to

Page 25 of 30 Senthil Kumar P | Technical Manager APAC | 23-05-2016

 KB 10000230516 – vSpace 8.4 & Server 2012r2 Best Practice.

1.9.301.

Recommended firmware upgrade methods

To perform a firmware upgrade an upgrade method that is supported by both the
vSpace Server and the device must be selected. Whenever possible the Direct
method should be used, as it does not depend on the existence and operation of
any Management Server.
Direct – device firmware upgrade in Direct mode using Boot Server for Miniterm
service or an FTP server (depending on the location of devices).
Management Server – device firmware upgrade in Management Server mode.
3.1.2. Sequence of actions
The necessary sequence of actions depends on the method being used for
updating the device firmware.
Firmware upgrade in Direct mode
1 Upgrade the vSpace Server Software
2 Upgrade the device firmware
Firmware upgrade in Management Server mode
1 Upgrade the device firmware
2 Upgrade the vSpace Server software
See vSpace upgrade guide for full details.

Configuring Firewall and Antivirus for NComputing

Products
Antivirus, firewall, and other types of security software can sometimes interfere
with the initial configuration or continued operation of
NComputing's vSpace software. This document gives basic information on
applications, services, and network communication within vSpace, which can be
used to configure security software and help ensure compatibility and stable,
continued operation.
Symptoms
• Error: Network Error Code 10014 / Network Error Code 10054
• vSpace Update Cannot Reach Update Server
• vSpace Host Not Visible in Connection List
• Client Hangs (Freezes) During Connection

Page 26 of 30 Senthil Kumar P | Technical Manager APAC | 23-05-2016

 KB 10000230516 – vSpace 8.4 & Server 2012r2 Best Practice.

vSpace Installation
Please make sure to DISABLE any Anti-Virus or Firewall software during the
installation of our product. Software of this type has been tested and known to
interfere with the installation of our product. After installation has completed, you
may re-enable Anti-Virus and Firewall software.

If system instability occurs after installing NComputing vSpace, please try

removing vSpace and any antivirus or security software present, and then
reinstalling vSpace. If the system is stable in this configuration, re-install the
antivirus software. In some cases, this change in install order can improve the
interaction between vSpace and antivirus software. If issues persist, please try
configuring your security software to ignore/allow/trust the following ports and
executables:

Port Exceptions

Registration: TCP 80, 3630 (connects to:

register.ncomputing.com, 184.106.8.208)

Update: TCP 20, 21 (connects to: 70.182.176.102, 81.169.173.128)

Management: TCP 1284

MDNS: UDP 5353


File Access Exceptions


C:\Program Files\NComputing


Summary

The above exceptions and practices can help ensure the best level of interaction
between vSpace and your environment. If issues still persist with a particular
application, please contact the application's vendor. If a workaround exists for
your antivirus solution of choice and NComputing engineers have verified its
effectiveness, a search for the application's name in the NComputing knowledge
base will typically reveal any available solutions.

Page 27 of 30 Senthil Kumar P | Technical Manager APAC | 23-05-2016

 KB 10000230516 – vSpace 8.4 & Server 2012r2 Best Practice.

LogonTimeout - stay at the windows loginscreen after

connecting to the Server

This ‘tweak’ needs to be effected via the following registry setting.

The example below, shows 120 seconds which is a fairly sensible time limit
as long as the L300 isn’t set to auto connect, (but not auto logon). If it is set
to auto connect, then if no one logs in, the terminal will be seen to continue
to cycle through the connection/disconnection process every couple of
minutes which not only looks odd to some, but can eventually cause logon
issues.

Set the value of ‘LogonTimeout’ to a long period. The value is in seconds, so as

an example, set a value of 36000 for a period of 10 hours. This will ensure that
the stations won't keep cycling.

Page 28 of 30 Senthil Kumar P | Technical Manager APAC | 23-05-2016

 KB 10000230516 – vSpace 8.4 & Server 2012r2 Best Practice.

Enable Software Rendering in Internet Explorer (IE9

and above)

In most situations, using software rendering instead of GPU rendering will

improve overall web browsing and video play back experience. To disable
hardware acceleration and use software rendering instead of hardware rendering
to view the webpage.

This can be set in IE Advanced Settings but may reset itself and revert back to
GPU Rendering. To resolve this and insure that the setting will stay on software
rendering, you can create the following GPO template.

Open Notepad and copy-paste the following into a new text file:
CLASS USER
CATEGORY "AdditionalSettings"
CATEGORY "InternetExplorer"
POLICY "UseSoftwareRenderingInIE9"
KEYNAME "Software\Microsoft\Internet Explorer\Main"
VALUENAME "UseSWRender"
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
END POLICY
END CATEGORY;
END CATEGORY;

Save the text document with an “.adm” extension, and a filename of your choice.
(for example, “usesoftwarerendering.adm”). Start the Group Policy Editor
(“gpedit.msc”) and under “User Configuration”, right-click “Administrative
Templates” and uncheck “filter on”.

Right-click Administrative Templates and click “Add/Remove Templates”.

Click “Add” and point to the text file you just created. Click “Close” to apply the
Template.

Page 29 of 30 Senthil Kumar P | Technical Manager APAC | 23-05-2016

 KB 10000230516 – vSpace 8.4 & Server 2012r2 Best Practice.

Navigate to Administrative Templates > Classic Administrative Templates

and click “Internet Explorer” to view the new policy, called
“UseSoftwareRenderingInIE9”. Double-click this policy and change the value
to “Enabled”.

Scheduled Host Reboot

Due to the large number of users logging on and off the system and the various
programs and devices that are being used it is recommended that you schedule
a task to perform a daily reboot to refresh the host’s resources. One way this can
be accomplished is by scheduling a task for off peak hours.

To schedule the task please open Task Scheduler which is located

in: Administrative Tools. Click Action, and select Create Basic Task. Create a
basic task and name it ‘reboot', click Next. Set the Trigger to Daily and click
Next.

For Action select Start a program, click Next then add the text
C:\Windows\System32\shutdown.exe in the “Program/script:” field. Type –f –r in
the “Add arguments (optional):” field, click Next, and then click Finish.

Page 30 of 30 Senthil Kumar P | Technical Manager APAC | 23-05-2016