VirtualBox, the graphical user interface, has a built-in server for the VirtualBox Remote Desktop Protocol (VRDP). This allows you to see the output of a virtual machine's window remotely on any other computer and control the virtual machine from there, as if it was running on the remote machine.
VRDP is a backwards-compatible extension to Microsoft's Remote Desktop Protocol (RDP). Typically graphics updates and audio are sent from the remote machine to the client, while keyboard and mouse events are sent back.
With VirtualBox, the graphical user
interface, the VRDP server is disabled by default, but can easily be
enabled on a per-VM basis either with the VirtualBox GUI or with
VBoxManage:
VBoxManage modifyvm <vmname> -vrdp on
If you use VBoxHeadless (described
below), VRDP support will be automatically enabled.
Additional settings for modifyvm
are -vrdpport and
-vrdpauthtype; see Sectioná8.5, “VBoxManage modifyvm” for details.
While the VRDP server that is built into the
VirtualBox GUI is perfectly capable of
running virtual machines remotely, it is not convenient to have to run
VirtualBox if you never want to have
VMs displayed locally in the first place. In particular, if you are
running servers whose only purpose is to host VMs, and all your VMs are
supposed to run remotely over VRDP, then it is pointless to have a
graphical user interface on the server at all -- especially since, on a
Linux or Solaris host, VirtualBox comes
with dependencies on the Qt and SDL libraries, which is inconvenient if
you would rather not have the X Window system on your server at
all.
VirtualBox therefore comes with yet another front-end that
produces no visible output on the host at all, but instead only delivers
VRDP data. With VirtualBox 1.6, this "headless server" is now aptly
called VBoxHeadless. (In previous
versions, it was called VBoxVRDP. For
the sake of backwards compatibility, the VirtualBox installation still
installs an executable with that name as well.)
To start a virtual machine with VBoxHeadless, you have two options:
You can use VBoxManage startvm <vmname>
-type vrdp. The extra
-type option causes the VirtualBox
core to use VBoxHeadless as the
front-end to the internal virtualization engine.
The recommended way, however, is to use
VBoxHeadless directly, as
follows:
VBoxHeadless -startvm <uuid|name>
This is the recommended way, because when starting the
headless interface through
VBoxManage, you will not be able to
view or log messages that
VBoxHeadless may have output on the
console. Especially in case of startup errors, such output might be
desirable for problem diagnosis.
Note that when you use
VBoxHeadless to start a VM, the
built-in VRDP server will always be enabled, regardless of whether you
have enabled the VRDP server in the VM's settings. If this is
undesirable (for example because you want to access the VM via
ssh only), start the VM like
this:
VBoxHeadless -startvm <uuid|name> -vrdp=off
To have the VRDP server use the setting from the VM configuration, as the other front-ends would, use this:
VBoxHeadless -startvm <uuid|name> -vrdp=config
The following instructions may give you an idea how to create a virtual machine on a headless server over a network connection. We will create a virtual machine, establish a VRDP connection and install a guest operating system -- all without having to touch the headless server. All you need is the following:
VirtualBox on a server machine with a supported host operating system; for the following example, we will assume a Linux server;
an ISO file on the server, containing the installation data for the guest operating system to install (we will assume Windows XP in the following example);
a terminal connection to that host over which you can access
a command line (e.g. via telnet
or ssh);
an RDP viewer on the remote client; on a Linux client, you
could use rdesktop to connect;
from a Windows machine, you could use the RDP viewer that comes
with Windows (usually found in "Accessories" -> "Communication"
-> "Remote Desktop Connection").
Note again that on the server machine, since we will only use the headless server, neither Qt nor SDL nor the X Window system will be needed.
On the headless server, create a new virtual machine:
VBoxManage createvm -name "Windows XP" -register
Note that if you do not specify
-register, you will have to
manually use the registervm command later.
Make sure the settings for this VM are appropriate for the guest operating system that we will install. For example:
VBoxManage modifyvm "Windows XP" -memory "256MB" \
-acpi on -boot1 dvd -nic1 natCreate a virtual hard disk for the VM (in this case, 10GB in size) and register it with VirtualBox:
VBoxManage createvdi -filename "WinXP.vdi" -size 10000 -register
Set this newly created VDI file as the first virtual hard disk of the new VM:
VBoxManage modifyvm "Windows XP" -hda "WinXP.vdi"
Register the ISO file that contains the operating system installation that you want to install later:
VBoxManage registerimage dvd /full/path/to/iso.iso
Attach this ISO to the virtual machine, so it can boot from it:
VBoxManage modifyvm "Windows XP" -dvd /full/path/to/iso.iso
(Alternatively, you can use VBoxManage
controlvm dvdattach directly, without having to
register the image first; see Sectioná8.7, “VBoxManage controlvm” for details.)
Start the virtual machine using VBoxHeadless:
VBoxHeadless -startvm "Windows XP"
If everything worked, you should see a copyright notice. If, instead, you are returned to the command line, then something went wrong.
On the client machine, fire up the RDP viewer and try to connect to the server. Assuming a Linux client, try the following:
rdesktop -a 16 my.host.address
(With rdesktop, the -a 16 option requests a color depth of 16 bits per pixel, which we recommend. Also, after installation, you should set the color depth of your guest operating system to the same value.)
You should now be seeing the installation routine of your guest operating system.
As a special feature on top of the VRDP support, VirtualBox supports remote USB devices over the wire as well. That is, the VirtualBox guest that runs on one computer can access the USB devices of the remote computer on which the RDP data is being displayed the same way as USB devices that are connected to the actual host. This allows for running virtual machines on a VirtualBox host that acts as a server, where a client can connect from elsewhere that needs only a network adapter and a display capable of running an RDP viewer. When USB devices are plugged into the client, the remote VirtualBox server can access them.
For these remote USB devices, the same filter rules apply as for other USB devices, as described with Sectioná3.7.7.1, “USB settings”. All you have to do is specify "Remote" (or "Any") when setting up these rules.
Accessing remote USB devices is only possible if the RDP client
supports this extension. VirtualBox includes a suitable RDP client for
Linux, rdesktop-vrdp. Further RDP
clients running on other platforms will be provided in future VirtualBox
versions.
For each virtual machine that is remotely accessible via RDP, you can individually determine if and how RDP connections are authenticated.
For this, use VBoxManage modifyvm
command with the -vrdpauthtype option;
see Sectioná8.5, “VBoxManage modifyvm” for a general introduction.
Three methods of authentication are available:
The "null" method means that there is no authentication at all; any client can connect to the VRDP server and thus the virtual machine. This is, of course, very insecure and only to be recommended for private networks.
The "external" method provides external authentication through a special authentication library.
VirtualBox comes with two default libraries for external authentication:
On Linux hosts,
VRDPAuth.so authenticates
users against the host's PAM system.
On Windows hosts,
VRDPAuth.dll authenticates
users against the host's WinLogon system.
In other words, the "external" method per default performs authentication with the user accounts that exist on the host system.
However, you can replace the default "external" authentication module with any other module. For this, VirtualBox provides a well-defined interface that allows you to write your own authentication module; see Sectioná9.3, “Custom external VRDP authentication” for details.
Finally, the "guest" authentication method performs authentication with a special component that comes with the Guest Additions; as a result, authentication is not performed with the host users, but with the guest user accounts. This method is currently still in testing and not yet supported.
RDP features data stream encryption, which is based on the RC4 symmetric cipher (with keys up to 128bit). The RC4 keys are being replaced in regular intervals (every 4096 packets).
RDP provides three different authentication methods:
Historically, RDP4 authentication was used, with which the RDP client does not perform any checks in order to verify the identity of the server it connects to. Since user credentials can be obtained using a man in the middle (MITM) attack, RDP4 authentication is insecure and should generally not be used.
RDP5.1 authentication employs a server certificate for which the client possesses the public key. This way it is guaranteed that the server possess the corresponding private key. However, as this hard-coded private key became public some years ago, RDP5.1 authentication is also insecure and cannot be recommended.
RDP5.2 authentication is based on TLS 1.0 with customer-supplied certificates. The server supplies a certificate to the client which must be signed by a certificate authority (CA) that the client trusts (for the Microsoft RDP Client 5.2, the CA has to be added to the Windows Trusted Root Certificate Authorities database). VirtualBox allows you to supply your own CA and server certificate and uses OpenSSL for encryption.
While VirtualBox supports all of the above, only RDP5.2
authentication should be used in environments where security is a
concern. As the client that connects to the server determines what type
of encryption will be used, with rdesktop, the Linux RDP viewer, use the
-4 or
-5 options.
The VirtualBox built-in RDP server supports simultaneous connections to the same running VM from different clients. All connected clients see the same screen output and share a mouse pointer and keyboard focus. This is similar to several people using the same computer at the same time, taking turns at the keyboard.
The following command enables multiple connection mode:
VBoxManage modifyvm VMNAME -vrdpmulticon on
If the guest uses multiple monitors then multiple connection mode must be active in order to use them at the same time (see Sectioná9.6, “Multiple monitors for the guest”).