SEM 3.0 Management Consoles from build 8554 onwards include support for running within a web browser, using Cybele Software’s Thinfinity VirtualUI product. This article describes the steps required to evaluate this configuration or make SEM available to end users in this fashion.
There are two licensing considerations to be taken into account when using SEM under VirtualUI; most importantly, VirtualUI uses a per-seat licensing system, so sufficient licenses will need to be purchased (either via Sysgem or directly from Cybele Software) to cover the largest anticipated number of concurrent users. A free trial license is available for evaluation purposes.
Secondly, SEM’s VirtualUI support is a separately-licensed option, so your SEM license will need to include the VirtualUI option; please contact Sysgem or your distributor to discuss adding this option to your existing license if needed. VirtualUI support is currently not enabled by default for SEM trial licenses but can be added on request.
The SEM Management Console should be installed in the usual fashion on the server or servers which will be hosting the VirtualUI environment. This can be done either before or after installing VirtualUI itself; however, installing SEM first does allow you to install the required SEM license before attempting to start SEM within VirtualUI.
For a first SEM installation, or evaluating VirtualUI in a standalone environment, the SEM Authorization Server can also be installed on the same server; however, this isn’t necessary if the VirtualUI clients are to be connected to an existing SEM installation.
The Thinfinfinity VirtualUI package can be downloaded from Cybele Software’s downloads page, and installs as a standard Windows application; the required options will depend upon your environment and requirements but for an initial installation we recommend selecting the VirtualUI Server option (there is no need to install the Development Environment) and then installing ‘all components’. For larger deployments it is possible to configure load balancing across several application servers, as described in the VirtualUI documentation, but during your initial evaluation of the environment this is unlikely to be necessary.
Once installation has completed, start the Thinfinity VirtualUI Server Manager from the Start menu. This will prompt you to register your VirtualUI license, or create a trial license; once this has been completed, the Server Manager will appear. This should show a default web server configuration (‘binding’) for HTTP port 6580 on all addresses and hostnames; if not, click the Add button followed by OK to create one with these defaults. Tick the ‘allow external access in Windows Firewall’ checkbox to allow users access to the web server, then click Apply to update the running configuration:
You should now be able to visit http://localhost:6580/ from the server where VirtualUI has been installed, and see a default application list containing icons for the Thinfinity VirtualUI documentation. If not, please contact Sysgem or Cybele for further assistance with installation and configuration.
Once the initial VirtualUI configuration is complete, you can publish the SEM Management Console to web users by creating an entry for it in the Applications tab of the Thinfinity VirtualUI Server Manager. The simplest way to do this is to click the Add button, then the Open button next to the ‘Program path and file name’ field of the General tab in the resulting dialog box. In the file chooser that appears, browse to the SEM installation directory and then select the SEM Management Console\SEM Client.exe file; confirm the choice and then press OK to select the default icon in the following dialog box. This will populate some default options for the application entry; however, we recommend that you remove the tick from the ‘Allow browser arguments’ checkbox, and also change the ‘Name’ field at the top of the window to read ‘SEM’ rather than ‘SEM Client’ for consistency with SEM’s usual Start menu entry:
Once happy with your settings, click OK to save the new application entry and then Apply to update the running VirtualUI service with your changes:
You should then be able to visit (or refresh) the http://localhost:6580/ page again to see the new SEM icon in the application list:
Clicking on the SEM icon should, after a moment, display the normal SEM login dialog box. Log in as usual and you should find SEM starts and operates in the same way as it does when running as a standard Windows application; if instead you receive an error regarding your SEM license not supporting VirtualUI, please contact Sysgem to discuss licensing options.
By default, VirtualUI allows anonymous, unauthenticated users to access the available applications, and will run these applications within the context of whichever user is currently logged in to the Windows desktop on the VirtualUI server. Whilst this may be a reasonable configuration for a simple test environment, in a production (or larger-scale evaluation) scenario it is likely that better security controls should be configured.
The available controls come in several layers: user permissions to access VirtualUI, user permissions to access individual applications such as SEM, and the user credentials used by VirtualUI to run the application on the user’s behalf. For each of these, there are several options available within VirtualUI; a full discussion is beyond the scope of this article, but a basic configuration that could serve as a starting point is described below. More details on the available options can be found in the VirtualUI documentation.
The first consideration is the user account under which the SEM Management Console will be run when accessed via VirtualUI. The default, as mentioned, is to borrow the current console session on the server; it is also possible to use a nominated account (such as a dedicated service account), or if authentication is enabled to use the relevant Windows account for each user’s session. This is configured on the Sessions tab in the Thinfinity VirtualUI Server Manager; the default is for all VirtualUI applications to share one Windows session, which can be either the console user or a nominated account.
Alternatively, selecting the ‘One Browser per Windows Session’ mode (as shown above) allows a nominated account or the VirtualUI user’s credentials to be used instead. Sysgem recommend using this final option for any substantial deployment, as it provides the best isolation between users and also avoids any clash of settings should SEM be configured to save them locally instead of on the Authorization Server.
