The installation files provided via the support area of m-privacy GmbH are executable MSI packages and already contain all necessary components for audio transmission and printing. They create a new icon on the desktop of the workstation PC called "Internet". To open the TightGate-Viewer successfully with a double-click, a few configuration steps must first be performed. These are explained under Implementation].

There are two types of configuration files: system-wide and user-specific. The system-wide configuration file is located below on 64-bit systems:

%PROGRAMFILES(X86)%\TightGate-Pro\tgpro.cfg

or on 32-Bit-Systems:

%PROGRAMFILES%\TightGate-Pro\tgpro.cfg

The user-specific configuration file can be found in the respective user account of the client computer:

%APPDATA%\vnc\tgpro.vnc

If the TightGate Viewer is started without special parameters, it reads its configuration from the user-specific configuration file. If no such configuration file exists, the TightGate Viewer reads the system-wide configuration file and creates/writes a user-specific configuration file whenever the session ends. All changes that the user makes himself during a session are saved in this file.

Notes: Administrator rights on the target system are required to change the system-wide configuration file tgpro.cfg. After the first start of the TightGate-Viewer, a specific configuration file tgpro.vnc is created for the respective user and used exclusively from now on. Any later changes to the system-wide tgpro.cfg will be ignored as long as a user-specific configuration file exists. Changes must therefore either be made to the user-specific file or, alternatively, the system-wide file can be modified, but the user-specific file must then be deleted. It is then automatically generated from the system-wide file the next time the program is started.

That's what's needed:

→ Download the client software for TightGate-Pro from the The Download Center of m-privacy GmbH.

Note: Please make sure that you download the appropriate package for your authentication method (password login or SSO).

How to do it:

  • Execute the MSI package of the client software
  • For login with password:
    • Open the file %PROGRAMFILES(X86)%\TightGate-Pro\tgpro.cfg (64Bit system) or %PROGRAMFILES%\TightGate-Pro\tgpro.cfg (32Bit system) and adjust the ServerName → Enter either IP or resolvable DNS name of TightGate-Pro
    • If you double-click on the icon of the application, a login window appears in which user name and password must be entered.
    • The file %APPDATA%\vnc\tgpro.vnc is created automatically when the viewer is closed and is used for logon from now on.
  • For SSO registration with certificates:
    • Create and export SSL keys for the users at the TightGate-Pro using the administrator role maint, as described under User administration via user certificates].
    • If there is no folder vnc under %APPDATA% yet, create this folder
    • The user transfer must be logged on to the TightGate-Pro via WinSCP
    • Copy the entire contents of the folder /home/user/.transfer/config/certs/<username> to the local folder %APPDATA%\vnc
    • When double-clicking the Internet icon on the workstation, the user is logged in using the certificate.
    • %APPDATA%\vnc\tgpro.vnc is automatically created when the viewer is closed and used for logon from now on.
  • For logon using Active Directory:
    • Open the file %PROGRAMFILES(X86)%\TightGate-Pro\tgpro.cfg (64Bit system) or %PROGRAMFILES%\TightGate-Pro\tgpro.cfg (32Bit system) and adjust the following parameters:
      • ServerName → enter the resolvable DNS name of TightGate-Pro
      • krbhostname → enter the resolvable DNS name of TightGate-Pro
    • Double-click on the Internet icon on the desktop to log the user in.
    • %APPDATA%\vnc\tgpro.vnc is automatically created when the viewer is closed and used for logon from now on.

General information

As an alternative or in addition to the manual file transfer, an automatic transfer function is integrated in TightGate-Pro. This allows downloads to be transferred automatically to the workstation computer. Each user has a subfolder called autotransfer within the transfer folder on TightGate-Pro. All files stored there pass through the malware and MIME type filter as usual. If the check remains without objections, the automatic transfer to the workstation computer takes place. There the file is stored in the local folder autotransfer, which is located in the Windows standard folder Downloads. Manual retrieval via the TightGate file tranfer remains possible. The local target directory of the automatic file transfer is freely configurable.

That's what's needed:

→ Current TightGate-Viewer
→ Globally activated file transfer

How to do it:

  • Login as administrator config.
  • Selection of the menu item System settings > Allow auto-transfer. Global activation of the automatic file transfer by selecting Yes.
  • After activating the automatic file transfer a new menu item named Auto Download Client Folder appears. Here you can specify a destination folder into which the semi-automatic file transfer will store the TightGate-Pro downloads on the client computer. If the target folders in the local configuration file on the workstation have been changed, no value should be set here, as this overwrites the value in the local configuration file.
    Hint: Windows environment variables such as %USERPROFILE% etc. can also be used for the target path.
  • Use the menu items Save and Soft Apply to apply the settings. After Apply all newly logged in users get a folder autotransfer created as subfolder in the normal transfer directory.
  • On the client side, check whether the directory autotransfer has been created in the Download directory of the user. If the directory does not exist, the directory must be created. If a different target directory is specified via the menu item Auto Download Client Folder, it should be checked whether this exists on the client side.

Configuration options

In the case of user administration via Active Directory, the user-specific assignment to the automatic file transfer takes place via membership in the security group TGtransferAuto. Details about the security group for TightGate-Pro you can find here.

The target directory on the workstation PC where the automatic downloads are stored can be set individually. For this the file tgpro.vnc in the directory %APPDATA%\vnc must be adapted. The path is set in the line with the attribute autotransferFolder. In the standard system, the line looks like this:

 autotransferFolder=%userprofile%\\Downloads\\autotransfer

The use of TightGate-Pro via terminal server systems is possible. In principle, the client software is installed in the same way as for dedicated workstations. However, there are some special features with regard to the interference-free screen display and the necessary port releases for audio transmission.

Mouse pointer:

It is recommended to enable the option Use local mouse pointer instead of server mouse pointer in the viewers. This can be done in different ways.

When logging on using Single Sign-on (SSO):

  • Before creating the certificates, the option config must be activated as administrator config > Settings > Authentication > Windows cursor in client config.. The certificates must then be generated and distributed again. The viewer applications are then automatically switched so that the pointer of the terminal server is displayed instead of the mouse pointer of TightGate-Pro. This prevents delays and double images on the client computers when displaying the mouse pointer in connection with TightGate-Pro.

For login with password:

  • The setting is made in the TightGate-Viewer either manually via the Program menu (F8 > Settings …, Tab key Input method, Range Mouse) or via the configuration file tgpro.vnc (parameter UseLocalCursor, file to be found in %APPDATA%\vnc).

Audio transmission:

In order to be able to transmit the sound of terminal server systems to the correct client computer, it is necessary to set a value range instead of the standard audio port. For this purpose, a value range must be set with the administration role config under System settings > Pulseaudio Extra-Ports and then the user certificates must be newly created and distributed with the administration role maint. Alternatively, the tgpro.vnc file (to be found in %APPDATA%\vnc) can also be adjusted manually. In this case the lines PAPortMin=<start value> and PAPortMax=<end value> must be added or adapted.

Each time the user logs on, a free port is automatically searched for and reserved for the duration of the session. This prevents collisions with other client computers.

The key combination ALT+Tab can be used to switch between running applications. If the TightGate-Viewer is operated in window mode, ALT+Tab only affects the environment outside the TightGate-Viewer. In full-screen mode, on the other hand, you switch between running applications within the TightGate-Viewer.

This behavior can be changed so that ALT+Tab is not passed on to TightGate-Pro even in full screen mode ALT+Tab. The key combination then only affects the environment outside the TightGate-Viewer. To configure this behavior, the parameter FullScreenSystemKeys=0 can be set in the configuration file of the TightGate-Viewer.

Alternatively, in the window menu of the TightGate-Viewer (call with F8) under Settings > Input Methods > Send System Keys directly to Server the check mark can be removed.

If, for example, a different configuration is to be used once for test purposes without saving it or accepting previous values, the Viewer can be called via console with the option -noconfig and any number of further options.

Example: C:\Program] Files (x86)\TightGate-Pro\vncviewer.exe -noconfig

If this example call is executed, the IP of the server and the access data of the user are queried in the following dialogs.

If the exact packet sequence of the TightGate-Viewer needs to be logged for analysis purposes (e.g. for analyzing connection interruptions) the TightGate-Viewer must be called up via the special port 5901 and the additional parameter (-log). It is recommended to start the TightGate-Viewer via the console during debugging/logging so that log files are not permanently generated. It is recommended to use debugging only in consultation with the technical customer service of m-privacy GmbH.

Caution

Calling the TightGate-Viewer with the debugging option requires that the TightGate-Viewer is allowed to connect to TightGate-Pro via port 5901. In normal operation, only the connection via port 5900 is provided. The corresponding network rules must therefore be adjusted before use.

The call from the console is made as follows:

%PROGRAMFILES%\TightGate-Pro\vncviewer.exe -log *:file:100 [IP-Adresse]:5901

If the TightGate-Viewer is called up this way, it creates a log file with the name vncviewer.log in the directory under %temp%\tgprotemp. The vncviewer.log file is a text file and can be read with any text editor.

The file must be sent to the technical customer service of m-privacy GmbH for analysis purposes.

It is possible to create multiple TightGate-Viewer shortcuts on the desktop and assign different configurations to them. To do this, right-click on the icon to select the menu Settings and the Link tab. After entering the program path with -configdir=<Path> under Target the path to the folder with the configuration file to be used must now be entered. All user certificates must also be stored in this folder for the SSO login procedure.

Notes: When specifying the path, each backslash must be masked (e.g.: C:\\Users\\username\\…). If you specify some parameters without using a different configdir any changes would be copied to the tgpro.vnc file in the default directory (%APPDATA%\vnc). If the viewer has several links, these would overwrite each other's configurations and only differ in the values specified in the link. If it is desired to use all other options that were not specified manually, such as the size of the window, several tgpro.vnc files are required.

Usually there is no need to manually edit the tgpro.vnc file in %APPDATA%\vnc directory or the template under %PROGRAMFILES(X86)%\TightGate-Pro after entering the connection options.

However, the following list gives an overview of various options and parameters.

Call parameter (to be specified when executing):

ParameterDescription
ConfigDirSpecifies the directory in which the tgpro.vnc file to be used and certificates, etc. are located
noConfig Neither tgpro.vnc nor tgpro.cfg will be used and the settings will not be saved when closing.
rwConfigIf the default directory (%APPDATA%\vnc) is to continue to be used and only a different path is to be used for calling the tgpro.vnc file, this can be specified here.

Note: For path specifications, each backslash must be masked with an additional mask!

Options (Set parameter in tgpro.cfg and/or tgpro.vnc):

OptionDescription
x509keyFor SSO login user certificates are required. The path to them can be specified here (default is %APPDATA%\vnc directory)
x509cert
x509CA
SecurityTypesHere it is specified which procedure is to be used for the logon. If several methods are named, the method that is found first is selected. (e.g. TLSPlain → Username and password, x509Cert → SSO with certificates, TLSKrb → Active Directory, …)
krbserviceDescription of the Kerberos service (default is "host")
krbauthidKerberos Username
PAPortMinStart of value range for Pulseaudio Ports (to be specified for Terminal Clients)
PAPortMaxEnd of the value range for Pulseaudio Ports (to be specified for Terminal Clients)
Maximize (1=active)The Viewer window always opens at maximum size
WinCursor (1=active)Can be used on Terminal Clients to reduce delays in image display
QuickPrint (1=active)Print jobs are forwarded directly to the default printer without dialog
SoundSupport (1=active)The sound can be activated or deactivated. (If the sound was deactivated by maint, a setting is still useless.)
Menukey (Default=F8)Many settings can be made after calling the Viewer via a graphical menu, without having to adjust the configuration files manually. Here you can define the function key with which the menu is called.