VNC User Guide
VNC User Guide
Version 5.2
June 2014
Trademarks
VNC is a registered trademark of RealVNC Ltd. in the U.S. and in other countries. Other trademarks are the
property of their respective owners.
Protected by UK patent 2481870.
Copyright
Copyright RealVNC Limited, 2002-2014. All rights reserved.
No part of this documentation may be reproduced in any form or by any means or be used to make any
derivative work (including translation, transformation or adaptation) without explicit written consent of
RealVNC.
Confidentiality
All information contained in this document is provided in commercial confidence for the sole purpose of use
by an authorized user in conjunction with RealVNC products. The pages of this document shall not be
copied, published, or disclosed wholly or in part to any party without RealVNCs prior permission in writing,
and shall be held in safe custody. These obligations shall not apply to information which is published or
becomes known legitimately from some source other than RealVNC.
Contact
RealVNC Limited
Betjeman House
104 Hills Road
Cambridge
CB2 1LQ
United Kingdom
www.realvnc.com
Contents
Chapter 1:
Chapter 2:
Chapter 3:
Introduction
10
11
13
17
Getting Connected
19
20
21
21
22
23
Troubleshooting connection
26
35
36
36
37
39
40
42
43
44
45
46
48
Chapter 4:
Chapter 5:
Chapter 6:
Chapter 7:
51
52
56
57
Exchanging Information
61
62
64
68
69
73
74
75
78
81
82
87
89
Changing ports
90
92
93
95
Authenticating users
96
96
98
99
101
104
105
109
Appendix A:
Appendix B:
Appendix C:
Appendix D:
114
Protecting privacy
115
Saving Connections
117
118
123
124
127
Setting Up VNC
129
Configuring VNC
130
130
136
138
141
143
145
Logging information
148
Removing VNC
150
VNC Parameters
153
154
155
175
189
190
192
Applicable software
All the information in this Guide applies to connections established between a client computer running the
latest version of VNC Viewer and a host computer running the same version of VNC Server with an
Enterprise license. Unless otherwise stated, this combination is assumed. To see how to set these
applications up, read Getting two computers ready to use on page11.
Note that general principles of remote control, and information relating to particular supported features, also
applies to connections established between any combination of the products and license types listed below.
VNC Server (with different license types applied)
For more information on licensing, start with Licensing VNC Server on page74.
VNC Viewer
To understand restrictions for connections established between particular combinations of products and
license types, see Connectivity and feature matrix on page13.
Intended audience
There is no such thing as a typical RealVNC user or remote control session. This Guide therefore has more
than one audience in mind:
Chapters 2 through 5 are intended for users who want to connect to and control a remote computer.
Chapters 6 and 7 are intended for users who want to set up the remote computer to be controlled.
Appendices B, C, and D are intended for system administrators responsible for deploying, licensing, and
configuring VNC 5.x in an enterprise environment.
This Guide is intended to be operating system-agnostic, as far as possible. Information related to specific
operating systems is clearly marked.
Conventions
Screen captures are from Windows 7 unless otherwise stated. Dialogs and other artifacts may appear
differently under UNIX and Mac OS X, or versions of Windows with different themes, but the principle is the
same.
Related information
Visit www.realvnc.com for:
Information relating to legacy VNC Enterprise Edition and VNC Personal Edition.
1
Introduction
This Guide explains how to use VNC 5.x remote access and control software from RealVNC to connect two
computers over a network and take control of one (the host computer) from the other (a client computer),
irrespective of where the two are in the world, or incompatibilities they may have in platform, architecture, or
operating system.
VNC 5.x consists of two components: VNC Server and VNC Viewer. All the information in this Guide applies
to connections established between a client computer running the latest version of VNC Viewer and a host
computer running the same version of VNC Server with an Enterprise license. For a list of other products
and license types to which information may also apply, see Applicable software on page7.
Contents
Principles of VNC remote control
10
11
13
17
Chapter 1: Introduction
An application called VNC Server must be running on the host computer; that is, on the computer you
want to control. To see how to obtain, license, and start VNC Server, read Setting up the host computer
on page11.
Note: You may be able to control computers that are running alternatives to VNC Server. For more
information, see Connecting to VNC-compatible Server software on page15.
An application called VNC Viewer must be running on the client computer; that is, on the computer you
are sitting in front of, and want to exercise control from. To see how to obtain and start VNC Viewer, read
Setting up the client computer on page12.
Note: You may be able to exercise control using alternatives to VNC Viewer. For more information, see
Connecting from alternatives to VNC Viewer on page15.
Host and client computers must be connected to the same TCP/IP network. This can be a private
network such as a LAN or VPN, or a public network such as the Internet. Note that firewalls and routers
must typically be configured before an Internet connection can be established. See Connecting over the
Internet on page28 for more information.
A. Client computer (typically a laptop or desktop) running VNC Viewer. B. Client device (handset or tablet) running
VNC Viewer for iOS or Android. C. Host computer (typically a workstation or server) running VNC Server. D. Router
exposing a public network address for Internet connections to the host computer.
10
Chapter 1: Introduction
To start a remote control session, run VNC Viewer and identify VNC Server on the host computer you want
to control. Once authenticated, VNC Viewer displays the host computers desktop in a new window, and you
can take control using the client computers keyboard and mouse (or device touch). You can run
applications, change settings, and access data on the host computer exactly as you would be permitted to
do were you sitting in front of it. See a picture.
Note: By default, VNC Server allows other users to connect to the host computer at the same time as you.
You may be sharing control.
VNC 5.x remote access and control software solves different problems for users with different requirements,
from the family member troubleshooting computer problems over the Internet to the system administrator
configuring devices remotely in an enterprise environment. To find out how to get the information you need
from this Guide, see What to read next on page17.
11
Chapter 1: Introduction
5. Make sure VNC Server is running on the host computer and that it can accept incoming connections.
See Step 1: Ensure VNC Server is running on the host computer on page20 for more information.
6. Find out the network address of VNC Server. If you are connecting:
Over a LAN or VPN, this is a private address, which is that of the host computer itself. See
Connecting within a private network on page28 for more information.
Over the Internet, this is a public address, which is that of a router or similar device acting as a public
gateway. See Connecting over the Internet on page28 for more information.
7. Find out the credentials required to authenticate to VNC Server. By default, if you are connecting to:
VNC Server with an Enterprise or a Personal license, you require the user name and password of a
user account with administrative privileges on the host computer. See Authenticating using system
credentials on page96 for more information.
VNC Server with a Free license, you require a password specific to VNC. See Authenticating using a
password specific to VNC on page98 for more information.
Note: If you cannot perform these operations and a host computer user is present, you may be able to
jointly establish a reverse connection. See Establishing a reverse connection on page102 for more
information.
12
Chapter 1: Introduction
Previous versions of VNC Server incorporated in VNC Enterprise Edition or VNC Personal Edition.
Note that the latter two may require configuration before a connection can be established, and that not all
VNC remote control features will be available once connected.
Note: For alternatives to VNC Viewer, see Connecting from alternatives to VNC Viewer on page15.
VNC Viewer
Enterprise
Personal
Free
No configuration required.
Note: For information on VNC Viewer encryption, see Step 4: Request an encrypted connection on
page22.
Restrictions
Connections to VNC Server with a Personal license cannot be encrypted using ultra-secure 256-bit AES.
The credentials you enter to log on to your client computer cannot authenticate you automatically to VNC
Server with a Personal license.
The credentials of a user account on the host computer cannot be used to authenticate to VNC Server
with a Free license.
Connections to VNC Server with a Free license are not optimized for performance.
VNC Viewer for Java cannot be downloaded from VNC Server with a Free license.
Note that once a connection to VNC Server with a Free license is established, you cannot perform the
following operations:
13
Chapter 1: Introduction
The credentials of a user account on the host computer cannot be used to authenticate to VNC Personal
Edition.
VNC Viewer
Restrictions
Connections to VNC Enterprise Edition and VNC Personal Edition cannot be encrypted using ultrasecure 256-bit AES.
The credentials of a user account on the host computer cannot be used to authenticate to VNC Personal
Edition.
Exchange files with VNC Enterprise Edition or VNC Personal Edition 4.3 or earlier. Note under Windows,
there are also certain restrictions when connected to version 4.5 and 4.4 as well.
Print VNC Enterprise Edition or VNC Personal Edition 4.4 or earlier files.
Chat with VNC Enterprise Edition or VNC Personal Edition 4.4 or earlier users.
14
Chapter 1: Introduction
VNC Viewer
Restrictions
Note that no VNC remote control features are available for connections to host computers running VNCcompatible Server software. In particular, connections cannot be encrypted.
VNC Viewer for Java. See Connecting from VNC Viewer for Java on page15.
VNC Viewer Plus. See Connecting from VNC Viewer Plus on page16.
VNC Viewer for iOS. See Connecting from mobile devices on page16.
VNC Viewer for Android. See Connecting from mobile devices on page16.
VNC Viewer for Google Chrome. See Connecting from VNC Viewer for Google Chrome on page16.
VNC-compatible Viewer software from third parties. See Connecting from VNC-compatible Viewer
software on page17.
15
Chapter 1: Introduction
Restrictions
Save connections.
Once a connection is established, you cannot save connections to VNC Address Book.
VNC Viewer for iOS from the Apple App Store. Visit www.realvnc.com/products/ios/ for more information.
VNC Viewer for Android from Google Play. Visit www.realvnc.com/products/android/ for more
information.
Restrictions
16
Chapter 1: Introduction
Save connections.
System authentication or single sign-on are not selected. See Relaxing the authentication rules on
page99.
Restrictions
Note that no VNC remote control features are available for connections from client computers running VNCcompatible Viewer software. In particular, connections cannot be encrypted.
To walk through establishing your first connection from a client computer running VNC Viewer to a host
computer running VNC Server, see Chapter 2, Getting Connected on page19.
To learn how to use features of VNC Viewer to enhance your experience of controlling a host computer,
read Chapter 3, Using VNC Viewer on page35.
If you want to control a host computer from a web browser instead of VNC Viewer, read Chapter 4,
Connecting From A Web Browser on page51.
To see how to exchange information between client and host computers, read Chapter 5, Exchanging
Information on page61.
17
Chapter 1: Introduction
To learn how to configure VNC Server on the host computer, and for advanced topics such as running
multiple instances of VNC Server, see Chapter 6, Working With VNC Server on page73.
By default, VNC Server authenticates connecting users and, depending on the license, encrypts
connections end-to-end. To learn more about security, and how to relax the rules if you consider it safe to
do so, read Chapter 7, Making Connections Secure on page95.
18
2
Getting Connected
This chapter aims to help the majority of users get started establishing their first connection from a client
computer running the latest version of VNC Viewer to a host computer running the same version of VNC
Server with an Enterprise license. For a list of other products and license types to which these instructions
may also apply, see Applicable software on page7.
Note: This chapter assumes both host and client computers are set up correctly. For more information, see
Getting two computers ready to use on page11.
Connecting is usually a straightforward process but because computer networks must be secure, problems
can occasionally occur. This chapter offers help for the most common connection issues but it may also be
necessary to consult the RealVNC web site, or contact Technical Support. Alternatively, if you are
connecting within a private network such as a corporate Local Area Network (LAN), consult your system
administrator.
Contents
Step 1: Ensure VNC Server is running on the host computer
20
21
21
22
23
Troubleshooting connection
26
19
Under Windows, search for or navigate to the VNC Server program, or double-click the VNC Server
shortcut icon, if available on the desktop. Note administrative privileges are required.
Under UNIX, search for or navigate to the VNC Server (User Mode) program.
Under Mac OS X, search for or navigate to the VNC Server program. Note administrative privileges are
required.
Note: For alternatives ways to start VNC Server, and more information about different modes, see Starting
VNC Server on page75.
The VNC Server dialog opens:
If the status bar is green, VNC Server should be licensed and configured correctly for connections.
If VNC Server is not licensed, or it is not configured correctly, the status bar turns red. Click the Show button
that appears, and follow the instructions. For more information, consult Troubleshooting connection on
page26.
20
Search for or navigate to the VNC Viewer program, if VNC Viewer is installed on the client computer.
See Setting up the client computer on page12 for more information.
Run the appropriate platform-specific command from these tables on page192 in a Terminal window or
Command Prompt.
A host name, for example johndoe. (Note the host computer may not have a host name.)
An IP address in IPv6 format within square brackets, for example [2001:db8::1]. (Note IPv6 may not
be enabled.)
If you do not know the network address of the host computer, start with Connecting within a private network
on page28.
If you are connecting over the Internet, and the host computer is protected by a router, then enter the
network address of the router in the VNC Server dropdown instead. If you do not know the network address
of the router, see Connecting over the Internet on page28.
21
In the following example, the host computer is identified by an IPv4 network address:
Typically, a host computer needs no further identification. This is because, by default, VNC Server listens for
network communications on a registered port, 5900. Carry on from Step 4: Request an encrypted
connection on page22.
There may be circumstances, however, when VNC Server is listening on a different port. This can occur if
the host computer is running UNIX, or if more than one instance of VNC Server is running on the host
computer. If, when you try to connect, you see an error message similar to the following:
Connection refused (10061)
then you probably need to qualify the network address with a port number. For more information, see
Qualifying a network address with a port number on page30.
An Enterprise license are encrypted using industry-standard 128-bit AES. You can request that this be
enhanced to ultra-secure 256-bit AES.
22
By default, the Encryption dropdown in the VNC Viewer dialog is set to Let VNC Server choose:
An Enterprise or a Personal license, it is recommended you retain this option unless you have a good
reason to either request that encryption be:
Enhanced to 256-bit AES for connections to VNC Server with an Enterprise license only.
Turned off.
For more information on these operations, see Changing the encryption rules on page104.
A Free license, do not change this option. Doing so may prevent you connecting. For more information,
see Connectivity and feature matrix on page13.
You are guided through steps to ensure that the connection is legitimate and secure.
23
If you have access to the host computer, or can communicate with a host computer user, you can check that
VNC Viewer is connecting to the intended destination (and not, for example, a malicious third party) by
comparing the signature (or more-memorable catchphrase) with that displayed in the Get Started section of
the VNC Server dialog:
If you see any other message referring to the VNC Server signature, it is recommended that you do not
connect. For more information on this security feature, see Verifying the identity of VNC Server on page114.
Click the Yes button to continue connecting to VNC Server.
24
If you are connecting to VNC Server with an Enterprise or a Personal license, you may be able to turn
encryption on. Click the Cancel button and see Changing the encryption rules on page104 for more
information. Otherwise, click Continue.
An Enterprise or a Personal license, enter the user name and password you use to log on to the host
computer. If these system credentials do not work and you have access to the host computer, you may
be able to register your user account; see Authenticating using system credentials on page96 for more
information. If you do not have access, contact a system administrator or a host computer user.
A Free license, enter the VNC password, leaving the Username field blank. If you do not know this
password but have access to the host computer, you may be able to reset it; see Authenticating using a
25
password specific to VNC on page98 for more information. If you do not have access, contact a system
administrator or a host computer user.
Click the OK button. If the connection succeeds, VNC Viewer displays the host computers desktop in a new
window on the client computer. Carry on from The VNC Viewer user experience on page40.
If the connection fails for any reason, start with Troubleshooting connection on page26.
Note: Once connected, you can save a connection so you can quickly reconnect without having to
remember the network address and authentication credentials. For more information, see Appendix A,
Saving Connections on page117.
Troubleshooting connection
This section provides additional information to help you connect.
If, after reading this, you still cannot connect:
1. Consult www.realvnc.com.
2. You may be eligible to contact Technical Support. Start with Contacting Technical Support on page8.
3. If all else fails, and providing you have a secure network environment and a host computer user is present, you can ask that person to connect to you. For more information, see Establishing a reverse connection on page102.
26
Click the Resolve button to start the process of licensing VNC Server, and follow the instructions. See
Licensing VNC Server on page74 for more information.
27
And you do not have access to it, you will need to consult your system administrator or a host computer
user.
28
To connect over the Internet, enter the network address of the router in the VNC Viewer dialog, for example:
And you do not have access to the host computer, you will need to ask a host computer user either to
follow the instructions below, or to visit www.whatismyip.com.
29
A. Router with a network address assigned by an ISP, for example 212.44.6.81. B. Host computer with a network
address assigned by the router, for example 192.168.0.1. VNC Server is listening on the default port, 5900. C. Host
computer with a network address assigned by the router, for example 192.168.0.2. VNC Server has been configured to
listen on port 5901. D. Client computer running VNC Viewer.
In this scenario, the router must be configured to forward port 5900 to host computer B at 192.168.0.1 and
port 5901 to host computer C at 192.168.0.2.
When you connect to either host computer from VNC Viewer, you must enter the network address of the
router: 212.44.6.81. In addition, to connect to host computer C, you must qualify the routers network
address with the port number: 212.44.6.81:1. To find out why this is, see Qualifying a network address with
a port number on page30.
30
If VNC Server is listening on any other port, you must qualify the network address of the host computer (or
router) with the port number when you connect from VNC Viewer, for example:
If you know that VNC Server is listening on a port between 5901 and 5999, append a colon (:) and an
identifying number (1 through 99) to the network address, for example:
johndoe:1
192.168.5.54:1
[2001:db8::1]:1
If you know that VNC Server is listening on any other port, append a double colon (::) and the full port
number to the network address, for example:
johndoe::6001
192.168.5.54::6001
[2001:db8::1]::6001
And you do not have access to the host computer, you will need to consult your system administrator or
a host computer user.
In this example, VNC Server is running on host computer 192.168.5.54 and listening on port 5901.
31
The firewall might be automatically configured by the operating system of the host computer. If not, you will
probably see the following error message when you connect from VNC Viewer:
Connection timed out (10060)
The instructions for adding exceptions for ports are specific to firewalls. If you do not have access to the host
computer, ask a host computer user to consult the manufacturers documentation.
then you have not authenticated correctly to VNC Server. Note that user names and passwords are casesensitive.
If you do not know the correct credentials, and you do not have access to the host computer, you will need to
consult your system administrator or a host computer user. If you do have access to the host computer, and
sufficient privileges to configure VNC Server, you may be able to relax the authentication rules. For more
information, see Relaxing the authentication rules on page99.
then VNC Server has been configured to require the system credentials of a user account on the host
computer. Your user account, however, has not been registered with VNC Server.
If this is the case and you do not have access to the host computer, you will need to consult your system
administrator or a host computer user. If you do have access to the host computer, and sufficient privileges
to configure VNC Server, you may be able to register your user account. For more information, see
Managing the list of registered user accounts and groups on page97.
then it could be that VNC Server has been configured to prevent connections from the client computer you
are using.
If this is the case and you do not have access to the host computer, you will need to consult your system
administrator or a host computer user. If you do have access to the host computer, and sufficient privileges
32
to configure VNC Server, you may be able to unblock your client computer. For more information, see
Preventing connections from particular client computers on page106.
Alternatively, you may be able to connect from a different client computer.
then VNC Server has been configured to display connection prompts, and your request has either been
explicitly rejected, or has timed out (this could either be because the prompt was deliberately ignored, or
because no-one was present to respond).
If this is the case and you do not have access to the host computer, you will need to consult your system
administrator or a host computer user. If you do have access to the host computer, and sufficient privileges
to configure VNC Server, you may be able to bypass connection prompts. For more information, see
Preventing particular users connecting on page108.
33
34
3
Using VNC Viewer
This chapter explains how to control a host computer to which you are connected using VNC Viewer, and
how VNC Viewer features can enhance your productivity while the connection is in progress.
Contents
Starting VNC Viewer
36
36
37
39
40
42
43
44
45
46
48
35
In most circumstances, VNC Viewer is ready to connect to VNC Server out-of-the-box. Carry on from
Connecting to a host computer on page39.
In some circumstances, you may need to configure VNC Viewer before you connect. For more information,
see Configuring VNC Viewer before you connect on page37.
To see how to start VNC Viewer so that it listens for a reverse connection, see Starting Listening VNC
Viewer on page36.
Under Windows or Mac OS X, search for or navigate to the Listening VNC Viewer program.
Under UNIX, you must start Listening VNC Viewer at the command line. Run the appropriate command
from this table on page192 in a Terminal window.
36
Note: Under UNIX, no user interface is available for you to work with Listening VNC Viewer. If you need to
configure it before it starts, read Specifying VNC parameters on page130.
Under Windows and Mac OS X, hover the mouse cursor over the icon to confirm that Listening VNC Viewer
is running:
You do not need to configure Listening VNC Viewer, but if you want to do so before a connection is
established, select Default Options. For more information, start with Configuring VNC Viewer before you
connect on page37.
Note: Select New Connection to establish a connection to VNC Server in the normal way. Carry on from
Connecting to a host computer on page39.
If when a host computer user attempts to establish a reverse connection:
it is successful, Listening VNC Viewer displays the host computers desktop in a new window on the
client computer in exactly the same way as VNC Viewer. Carry on from The VNC Viewer user experience
on page40.
It is not successful, read Establishing a reverse connection on page102 in conjuction with the host
computer user.
Your client computer is protected by a proxy server. See Connecting via a proxy server on page38.
VNC Server mandates the single sign-on authentication scheme but you do not want to authenticate
automatically as the user you logged on to the client computer as. See Disabling single sign-on on
page39.
37
To configure VNC Viewer before you connect, click the Options button at the bottom of the VNC Viewer
dialog. The Options dialog opens:
Note that the Connection and Printing tabs are not available after you connect. More on this dialog.
Use Microsoft Internet Explorer proxy settings if you use Internet Explorer and it has already been
provisioned with proxy server information. Note this option has a different name under UNIX and Mac
OS X, and refers to system proxy environment variables.
Use these proxy settings to specify the network address of either an HTTP or a SOCKS 5 proxy
server, and a port on which an appropriate application or process is listening, separated by a colon.
If the proxy server is protected by BASIC or DIGEST authentication, enter a user name and password in
the appropriate boxes.
38
Configuring printing
By default, when you connect to VNC Server with an Enterprise or a Personal license, your client computers
default printer (if it has one) is shared with the host computer and made its default while the connection is in
progress. This means you can print host computer files directly to your local printer. For more information
about this feature, see Printing host computer files to a local printer on page62.
You can print but choose not to change the host computers default printer. This means you will have to
explicitly select your local printer when you print. To do this, turn off Make it the default printer on VNC
Server on the Printing tab.
To disable printing, choose Dont share a printer.
39
A. Desktop of a client computer running Windows 7. B. VNC Viewer displaying the desktop of a host computer
running Ubuntu 11.04 Linux.
Note: If the host computer is running UNIX, VNC Viewer may display a virtual desktop instead, in which
case what you see is not the desktop visible to a host computer user. For more information on this feature,
see Running multiple instances of VNC Server on page78.
40
Note that other VNC Viewer users may be connected to the host computer and controlling it at the same
time as you. In addition, a host computer user may be present. Operations may occur unexpectedly!
Moving the mouse and clicking within the VNC Viewer window affects the host computer and not the
client.
Moving the mouse and clicking outside the VNC Viewer window, or on the VNC Viewer title bar or
window buttons (Minimize, Maximize, and Close), affects the client computer and not the host.
Note: If your mouse has no effect on the host computer, it may have been disabled. For more information,
see Restricting access to features on page48.
If client and host computers have different numbers of mouse buttons, you can configure VNC Viewer to
emulate those you do not have. See Configuring your mouse on page47 for more information.
The function key that opens the shortcut menu (F8 by default).
These commands are interpreted by the client computer. Alternative ways of sending them to the host
computer are available; start with Using the shortcut menu on page43 for more information. Under
Windows and Mac OS X, note you can cause certain other keys and key combinations to be interpreted by
your client computer rather than the host. See Configuring your keyboard on page47 for more information.
Note: If your keyboard has no effect on the host computer, it may have been disabled. For more information,
see Restricting access to features on page48.
Note it is possible for client and host computers to have different types of keyboard. Not all the keys available
to a host computer user may be available to you, and some keys with the same name may have different
behavior. This is especially likely if you are connecting to Mac OS X from Windows or Linux with a PC
keyboard or vice versa; see www.realvnc.com/products/vnc/documentation/latest/misc/keyboard-mapping/.
See The VNC Server user interface on page82 for more information.
41
The following table explains the effect of clicking each toolbar button.
Button
Purpose
New Connection
Save Connection
Save the current connection so you can quickly reconnect without having to
remember the network address and authentication credentials. See Appendix A,
Saving Connections on page117.
Close Connection
Options
Configure most aspects of VNC Viewer while the current connection is in progress.
See Using the Options dialog on page44.
Note that some options must be configured before you connect. See Configuring
VNC Viewer before you connect on page37.
42
Send Ctrl-Alt-Del
Send the CTRL-ALT-DELETE command to the host computer. (Pressing this key
combination will be interpreted by the client computer.) You could alternatively
press SHIFT-CTRL-ALT-DELETE.
File Transfer
Browse to the location of client computer files to send to the host computer. See
Transfering files between client and host computers on page64.
Chat with other VNC Viewer users connected to the same host computer, or with a
host computer user. See Communicating securely using chat on page69.
Connection
Information
Display technical information about the current connection, such as the encryption
method and compression format. You may need this if you contact Technical
Support.
connection speed
Hover over to reveal the current connection speed. For more information on
performance, see Changing appearance and behavior on page46.
(Some standard Windows menu options have been omitted from this example.)
Note: Under Mac OS X, more Send <key> options are available to send Mac-specific commands to a host
computer also running Mac OS X.
The following table explains the effect of selecting shortcut menu options that do not have equivalent toolbar
buttons.
Option
Purpose
Turn on if the host computers mouse cursor appears to be behaving abnormally, for
example by accelerating too fast.
Send F8
Send an F8 command to the host computer. (By default, F8 opens the shortcut menu; see
Changing the shortcut menu key on page48 for how to choose a different key.)
Ctrl key
Alt key
Refresh Screen
43
Option
Purpose
Display version information. You may need this if you contact Technical Support.
Note: Some VNC Viewer options must be configured before you connect. For more information, see
Configuring VNC Viewer before you connect on page37.
To open the Options dialog, click the Options
toolbar button, or select Options from the shortcut menu.
(If the VNC Viewer toolbar or shortcut menu are not accessible, see Changing appearance and behavior on
page46.)
44
The first time you open this dialog, it opens in Basic mode, and only one tab is available, containing the most
common options. Click the Advanced button in the bottom left corner to switch to Advanced mode and see
all the tabs in the example above. Note that the Expert tab is recommended for expert users only.
By default, any changes you make apply both to the current connection and to all future connections to any
host computer. To apply changes just to the current connection, turn off Use these settings for all new
connections first.
Many of the options in this dialog are explained in the remainder of this chapter.
45
VNC Viewer does not scale the host computers desktop. Instead, scroll bars are added to the window if
the desktop is too large.
VNC Viewer displays the host computers desktop in a color quality appropriate to the network
connection speed.
Your mouse and keyboard are set to interact with the client and host computers in particular ways.
The VNC Viewer toolbar is accessible (from the top center hot area).
You can change these defaults by configuring options on the Display tab of the Options dialog. More on
this dialog.
46
Under Windows, turn off Pass special keys directly to VNC Server for WINDOWS (also known as
START), PRINT SCREEN, ALT-TAB, ALT-ESCAPE, CTRL-ESCAPE.
Under Mac OS X, turn off Pass media keys directly to VNC Server for VOLUME UP, PLAY, and similar
media keys.
47
Chat with other VNC Viewer users connected to the same host computer, or with a host computer user.
Note that:
VNC Viewer might have been configured to disable printing before the connection started; see
Configuring printing on page39.
VNC Server may have been configured to prevent some or all of these features; see Restricting
functionality for connected users on page109.
48
You can restrict access to features while the connection is in progress by configuring options on the Inputs
tab of the Options dialog. More on this dialog. You might want to do this if you are watching a
demonstration on the host computer, for example, and want to prevent inadvertent interruption.
Note: You can enable features again at any time. To prevent this for the current connection only, disable the
VNC Viewer toolbar and shortcut menu. For more information, see Changing appearance and behavior on
page46.
49
Disabling chat
You can disable chat. To do this, turn off Enable chat. For more information about this feature, see
Communicating securely using chat on page69.
50
4
Connecting From A Web Browser
This chapter explains how to connect to and control a host computer using VNC Viewer for Java. All you
need to do this is a Java-enabled web browser with which to download VNC Viewer for Java from VNC
Server with an Enterprise or a Personal license on demand; you do not have to install any software. This
may be useful if you are at an Internet caf, for example.
Note: VNC Viewer for Java is not available to download from VNC Server with a Free license.
Once downloaded, you can use the VNC Viewer for Java applet to establish a connection in exactly the
same way as VNC Viewer. You use your mouse and keyboard to control the host computer exactly as you
would using VNC Viewer.
Note: VNC Viewer for Java has considerably fewer remote control features than VNC Viewer. For more
information, see Connecting from VNC Viewer for Java on page15.
Contents
Connecting to a host computer
52
56
57
51
Note: If you are connecting over the Internet, you will probably need to enter the network address of a
router instead. See Connecting over the Internet on page28 for more information.
By default, VNC Server listens for download requests on port 5800. If the download request fails, it may
be because VNC Server is listening on a different port; see Qualifying a network address with a port
number on page30 for more information. A download request may also fail if the host computer is
protected by a router and/or a firewall and these devices have not been configured to allow access to
VNC Server at the correct port. For more information on this, and connection issues in general, see
Troubleshooting connection on page26.
52
3. If this is the first time you have downloaded VNC Viewer for Java, you are prompted to trust it:
You can do this in complete confidence. However, you can choose not to trust VNC Viewer for Java and
still connect, though note you cannot copy and paste text between applications in the normal way.
In the example above, click the Run button to trust VNC Viewer for Java, and Cancel to continue
connecting without trusting it.
If VNC Viewer for Java successfully downloads, the VNC Viewer dialog opens:
(In this picture, the web browser is Firefox 25. Note that the web browser window must stay open while the connection
is in progress.)
53
For more information on network addresses and port numbers, start with Step 3: Identify VNC Server
running on the host computer on page21.
To continue connecting:
1. From the Encryption dropdown, select an encryption option, or retain the default: Let VNC Server
choose. For more information on this, see Step 4: Request an encrypted connection on page22.
2. If you want to configure VNC Viewer for Java before you connect, click the Options button. For information on why you might want to do this, see Configuring VNC Viewer for Java before you connect on
page55.
3. Click the Connect button.
You may be asked to check the identity of VNC Server, acknowledge the encryption status, and
authenticate. For more information on these issues, see Step 5: Connect to VNC Server on page23.
If the connection is successful, VNC Viewer for Java displays the host computers desktop in a new window
on the client computer. Carry on from The VNC Viewer for Java user experience on page56.
If the connection fails for any reason, start with Troubleshooting connection on page26.
54
To make the connection more secure, choose an alternative to the default key length of 512 bits. This
option is on the Security tab.
To ensure your privacy at the start of the connection, turn off Shared (dont disconnect other VNC
Viewers) in order to disconnect other users. This option is on the Misc tab.
55
A. Desktop of a client computer running Windows 7. B. Java-enabled web browser. This window must stay open
while the connection is in progress. C. VNC Viewer for Java displaying the desktop of a host computer running Ubuntu
11.04 Linux.
The client computers mouse and keyboard are now shared with the host computer in exactly the same way
as VNC Viewer. For more information, start with Controlling the host computer using your mouse on
page41.
56
Copy and paste text between applications running on the client and host computers.
See the sections below for more information on these issues. For a summary of functionality that is not
available, see Connecting from VNC Viewer for Java on page15.
The following table explains the effect of selecting these menu options.
Option
Purpose
Close the current connection (and the VNC Viewer for Java window).
Clipboard
Preview the contents of the Clipboard and, providing copy and paste is enabled, paste it to an
application running either on the client or on the host computer. See Copying and pasting text
on page59.
Note that if you chose not to trust VNC Viewer for Java when you downloaded it, you can only
copy and paste text between the two computers via this dialog.
Send F8
Send an F8 command to the host computer. (F8 opens the shortcut menu.)
Send Ctrl-Alt-Del
Send the CTRL-ALT-DELETE command to the host computer. (Pressing this key combination
would be interpreted by the client computer.)
57
Option
Purpose
Refresh screen
New connection
Start a new connection to the same host computer, or to a different one, using the same web
browser session. You do not need to download VNC Viewer for Java again.
Options
Configure most aspects of VNC Viewer for Java while the current connection is in progress. See
Using the Options dialog on page58.
Note that some options must be configured before you connect. See Configuring VNC Viewer for
Java before you connect on page55.
Connection info
Display technical information about the current connection, such as the encryption method and
compression format. You may need this if you contact Technical Support.
Display information about VNC Viewer for Java. You may need this if you contact Technical
Support.
Dismiss menu
Note: Some VNC Viewer for Java options must be configured before you connect. For more information,
see Configuring VNC Viewer for Java before you connect on page55.
To open the Options dialog, select Options from the shortcut menu. More on this menu.
The following sections explain the options in this dialog.
58
Troubleshooting display
If the mouse cursor is not behaving in the expected way, turn off Render cursor locally. If the screen is not
updating properly, turn off Fast CopyRect. These options are on the Misc tab.
59
60
5
Exchanging Information
This chapter explains how to use VNC Viewer to exchange information with the host computer, or with other
VNC Viewer users connected at the same time as you.
Note: Not all features are available for connections to VNC Server with a Free license. For a summary, see
Connecting to VNC 5.x on page13.
Contents
Printing host computer files to a local printer
62
64
68
69
61
A. Local printer. B. Client computer running VNC Viewer. Printer A must be the clients default printer. C. Host
computer running VNC Server, and storing the files to print.
Note: To see how to make a printer the client computers default, consult its operating system
documentation.
This powerful feature is ready to use out-of-the-box. Open a host computer file in the VNC Viewer window
and print in the expected way for the application, for example by selecting File > Print. The local printer is
automatically shared with the host computer and made its default while the connection is in progress, so the
correct device should already be selected. Your request is added to the printers queue and executed in turn.
A best possible quality print finish is attempted. This may mean the contents of the file are scaled to fit the
dimensions of the local printers paper. If the results are unexpected, see Manipulating the quality of the
print finish on page62.
If the host computer file does not print to the local printer, start with Troubleshooting printing on page63.
62
number of pages per sheet, and advanced options such as changing the resolution or paper size. For more
information, consult the applications documentation.
Troubleshooting printing
Printing host computer files to a local printer should work out-of-the-box. If it does not, check the following:
1. Are you connected to VNC Server with an Enterprise or a Personal license? You cannot print when
connected to VNC Server with a Free license. For more information, see Connecting to VNC 5.x on
page13.
2. If you are using a previous version of VNC Viewer or VNC Server, is it at least version 4.5? Printing is not
supported by earlier versions.
3. Are both client and host computers running supported operating systems? Printing is not supported to or
from certain platforms, including HP-UX, AIX, and Windows NT 4; in addition, prior configuration is
required in order to print to or from Solaris 9 and 10, SUSE Linux, and systems with SE Linux enabled.
For the latest information, visit www.realvnc.com/products/vnc/documentation/latest/misc/printing/.
4. If the host computer is running Linux or Mac OS X, is CUPS version 1.3 or later installed? For more
information, consult the host computers operating system documentation.
5. Is the local printer connected to the client computer? Is it switched on? Is it ready to print? Does it have
paper? Is it set as the client computers default printer?
6. Has VNC Viewer been configured to disable printing? To see how to enable it again, read Disabling and
enabling printing on page62. You will have to close the current connection and then reconnect.
7. Has VNC Viewer been configured to prevent the local printer becoming the host computers default,
which means it is not automatically selected? The request may have been sent to the wrong printer. To
see how to make the local printer the host computers default so it is always selected, read Disabling and
enabling printing on page62. You will have to close the current connection and then reconnect.
Note that if another VNC Viewer user connected to the same host computer before you, then their local
printer becomes the host computers default. You cannot change this. You must always explicitly select
your local printer when you print.
If you have to explicitly select your local printer, note it will have a name of the form <printer name> via
VNC from <client computer name>, for example HP Color LaserJet CP2020 via VNC from
Neptune.
8. Has VNC Server been configured to disable printing? If this is the case and you do not have access to
the host computer, you will need to consult your system administrator or a host computer user. If you do
have access to the host computer, and sufficient privileges to configure VNC Server, you may be allowed
to enable it again; see Restricting functionality for all connected users on page110.
9. Has VNC Server been configured to prevent you printing? If this is the case and you do not have access
to the host computer, you will need to consult your system administrator or a host computer user. If you
do have access to the host computer, and sufficient privileges to configure VNC Server, you may be able
to allow it again; see Restricting functionality for particular connected users on page111.
63
VNC Viewer toolbar button. The File Transfer dialog opens on the client
2. Click the Send files button. The Send Files dialog opens.
3. Select a file or folder. To select multiple files and/or folders, hold down the SHIFT key.
Note: Under Windows, you cannot directly select a folder. Instead, double-click to open that folder, then
click Use Entire Folder. To select multiple folders, open the parent folder and click Use Entire Folder.
Note this means other files and folders in the parent folder will also be transfered.
64
4. Click Open (OK under UNIX). The File Transfer dialog opens on the host computer:
The most recent file transfer operation is highlighted. You can check its status, or pause or stop the
transfer if it takes more than a few seconds.
By default, files are downloaded to the host computers desktop (Downloads folder under Mac OS X).
To change this for future file transfer operations, select an option from the Fetch files to dropdown at the
bottom of the File Transfer dialog. Note you must have write permissions for the folder you choose.
Alternatively, you can ask to be prompted each time.
65
2. Click the Send files button. The Send Files dialog opens.
3. Select a file or folder. To select multiple files and/or folders, hold down the SHIFT key.
Note: Under Windows, you cannot directly select a folder. Instead, double-click to open that folder, then
click Use Entire Folder. To select multiple folders, open the parent folder and click Use Entire Folder.
Note this means other files and/or folders in the parent folder will also be transfered.
66
4. Click Open (OK under UNIX). The File Transfer dialog opens on the client computer:
The most recent file transfer operation is highlighted. You can check its status, or pause or stop the
transfer if it takes more than a few seconds.
By default, files are downloaded to the client computers desktop (Downloads folder under Mac OS X).
To change this for future file transfer operations, select an option from the Fetch files to dropdown at the
bottom of the File Transfer dialog. Note you must have write permissions for the folder you choose.
Alternatively, you can ask to be prompted each time.
If you were allowed to disable file transfer, you can enable it again at any time.
67
do have access to the host computer, and sufficient privileges to configure VNC Server, you may be
allowed to enable it again; see Restricting functionality for all connected users on page110.
5. Has VNC Server been configured to prevent you transfering files? If this is the case and you do not have
access to the host computer, you will need to consult your system administrator or a host computer user.
If you do have access to the host computer, and sufficient privileges to configure VNC Server, you may
be able to allow it again; see Restricting functionality for particular connected users on page111.
68
2. Has VNC Server been configured to disable copy and paste text? If this is the case and you do not have
access to the host computer, you will need to consult your system administrator or a host computer user.
If you do have access to the host computer, and sufficient privileges to configure VNC Server, you may
be allowed to enable it again; see Restricting functionality for all connected users on page110.
3. Has VNC Server been configured to prevent you copying and pasting text? If this is the case and you do
not have access to the host computer, you will need to consult your system administrator or a host
computer user. If you do have access to the host computer, and sufficient privileges to configure VNC
Server, you may be able to allow it again; see Restricting functionality for particular connected users on
page111.
4. Does the amount of text being copied and pasted exceeed 256kB? If so, the entire paste operation fails,
and the last text copied to the Clipboard is pasted instead.
Enter a message and click the Send button. The message is broadcast to a Chat dialog that opens on the
host computer, visible to you and to all other connected users (including a host computer user, if present):
Note: You are identified by the user name with which you authenticated to VNC Server, or as VNC Viewer
if you did not enter a user name to connect.
69
Note: A host computer user is identified by the text (Local) appended to the user name.
Note that the Chat dialog can also be minimized. If so, you are notified when new messages appear by the
taskbar button flashing (Windows and UNIX) or a number overlaid on the dock icon (Mac OS X).
Chat messages are stored on the host computer for 90 days. To stop recording messages, select Tools >
Options in the Chat dialog, and turn off Log chat history. Alternatively, you can reduce the number of days,
or switch to storing a particular number of messages.
To clear the conversation window, delete the vncchat.xml file. Under UNIX and Mac OS X, this file is
located in the host computer users .vnc directory (you can configure the location under Windows). Under
UNIX and Mac OS X, you must first stop VNC Server, delete the file, and then restart.
70
Note that when a VNC Viewer user disconnects, messages sent by that user change color in the Chat
dialog.
Note: Chat is only disabled for you, and not for any other connected VNC Viewer user. You can still view
messages in the Chat dialog.
You can enable chat again at any time.
Troubleshooting chat
If you cannot use chat, check the following:
1. Are you connected to VNC Server with an Enterprise or a Personal license? You cannot chat to users of
VNC Server with a Free license. For more information, see Connecting to VNC 5.x on page13.
2. If you are using a previous version of VNC Viewer or VNC Server, is it at least version 4.5? Chat is not
supported by earlier versions.
3. Is there anyone to chat with? The VNC Server dialog reveals if any VNC Viewer users are connected.
More on this dialog.
4. Has VNC Viewer been configured to disable chat? To see how to enable it again, read Disabling and
enabling chat on page71.
5. Has VNC Server been configured to disable chat? If this is the case and you do not have access to the
host computer, you will need to consult your system administrator or a host computer user. If you do
have access to the host computer, and sufficient privileges to configure VNC Server, you may be allowed
to enable it again; see Restricting functionality for all connected users on page110.
6. Has VNC Server been configured to prevent you chatting? If this is the case and you do not have access
to the host computer, you will need to consult your system administrator or a host computer user. If you
do have access to the host computer, and sufficient privileges to configure VNC Server, you may be able
to allow it again; see Restricting functionality for particular connected users on page111.
71
72
6
Working With VNC Server
Once licensed, VNC Server enables connections to the host computer on which it runs out-of-the-box. You
should not need to configure it. However, you can change almost any aspect to suit your requirements and
environment if you wish.
This chapter explains how to operate VNC Server. It also explains advanced scenarios such as running
multiple instances concurrently and in different modes, configuring ports, and troubleshooting. For
comprehensive security information, see Chapter 7, Making Connections Secure on page95.
This chapter assumes you have access to the host computer and sufficient privileges to configure both it and
VNC Server. Note that if you are setting up VNC Server for unattended access, some features require a host
computer user to be present when a connection is established, and are therefore not recommended.
Contents
Licensing VNC Server
74
75
78
82
87
89
Changing ports
90
92
93
73
At the command line using the vnclicense utility; start with www.realvnc.com/products/vnc/
documentation/latest/reference/vnclicense.html.
Remotely to Windows computers by deploying the VNC Server MSI using Group Policy; visit
www.realvnc.com/products/vnc/deployment/msi/.
Centrally for UNIX computers by hosting VNC Server on a network share; see Hosting VNC on a UNIX
network share on page145.
Until you do, users will only be able to connect to these instances for a limited time.
74
Note that administrative privileges may be required to perform this operation if you are not the user starting
VNC Server.
75
To see how to start VNC Server, follow the platform-specific instructions below. In most circumstances, a
VNC Server dialog appears:
(In this picture, VNC Server is running in Service Mode under Windows.)
The VNC Server dialog is the gateway to VNC Server and all its features. More on this dialog.
To see how to stop VNC Server, or to learn why VNC Server might stop automatically, read Stopping VNC
Server on page93.
Windows
Service Mode, search for or navigate to VNC Server, or run the appropriate command in this table on
page190. Administrative privileges are required.
Note: By default, VNC Server automatically starts as a service when the computer is powered on. If you
explicitly stop VNC Server, however, the service does not restart when the computer is rebooted.
User Mode, search for or navigate to VNC Server (User Mode), or run the appropriate command in this
table on page190.
Note: Microsoft User Account Control severely restricts users connected to VNC Server in User Mode
from fully controlling a host computer running Windows Vista or later.
76
UNIX
User Mode, search for or navigate to VNC Server (User Mode), or run the appropriate command in this
table on page190.
Service Mode, run the appropriate command for your system, for example /etc/init.d/vncserverx11-serviced start or systemctl start vncserver-x11-serviced.service. Typically, it
is useful to have this service start automatically when the computer powers on; visit www.realvnc.com/
products/vnc/documentation/latest/reference/vncserver-x11-serviced.html for more information.
Virtual Mode, run the command vncserver-virtual. Note you should not do this with elevated
privileges. No user interface is available to help you work with VNC Server in this mode; instead, a
message is printed to the console. See Working with VNC Server in Virtual Mode on page80 for more
information.
Note: If you have an Enterprise license, you can run VNC Server in Virtual Mode as a service, in which
case a new instance is started automatically, and a virtual desktop created, on demand. See Creating
virtual desktops on demand on page81 for more information.
Mac OS X
Service Mode, search for or navigate to VNC Server, or run the appropriate command in this table on
page191. Note elevated privileges are required.
Note: VNC Server in Service Mode automatically starts when the computer powers on.
User Mode, search for or navigate to VNC Server (User Mode), or run the appropriate command in this
table on page191.
77
Run VNC
Server in...
Platforms
Service Mode
All
Exactly what a person sitting in front of the host computer would see.
This is either the desktop of a user account if one is currently logged
on, or the Login screen if not. Note VNC Server is typically set to start
when the system powers on, and users can connect and reconnect
until VNC Server is explicitly stopped.
All
Exactly what a person sitting in front of the host computer would see
while the current user account is logged on. When this user account is
logged off, VNC Server automatically stops, users are disconnected,
and cannot reconnect. Note the Login screen is not available to
connected users.
UNIX
User Mode
Remote the
desktop of the
currently loggedon user account
Create and
remote a virtual
desktop
Virtual Mode
With an Enterprise license, you can run VNC Server in Virtual Mode as
a service, which means virtual desktops can be created on demand.
These virtual desktops, however, do not persist. See Creating virtual
desktops on demand on page81.
VNC Server can run in Service Mode and User Mode concurrently, though this is not generally useful, and
likely to result in port conflicts. See Changing ports on page90 for more information.
Under UNIX, VNC Server is designed to run in Virtual Mode as many times as your license has available
desktops. It can safely be run concurrently with either other mode.
For platform-specific information, see the sections below. To see how to start VNC Server in different modes,
read Starting VNC Server on page75.
Windows
You can start VNC Server a maximum of twice on a host computer; once in Service Mode, and once in User
Mode for the currently logged on user account.
Note: Microsoft User Account Control severely restricts users connected to VNC Server in User Mode from
fully controlling a host computer running Windows Vista or later. The connected user loses mouse and
78
keyboard control if a program requiring administrative privileges is run (this may or may not be preceded by
a User Account Control prompt), and can only continue if a host computer user closes the program, or
accepts the prompt.
Once connected to VNC Server in either mode, a user has the same privileges (that is, access rights) on the
host computer as the currently logged on user account. This need not be a user with administrative
privileges even if the credentials of one were supplied in order to authenticate to VNC Server; see
Authenticating users on page96 for more information. The opposite also holds true: a connected user has
administrative privileges if such a user account is currently logged on.
UNIX
You can start VNC Server as many times as your license permits. Each time you do, one desktop is
decremented from your license. To see how many are left, run the command vnclicense -check. For
example:
Licensed desktops: 5
Running desktops: 3
johndoe: 2
janedoe: 1
This means that five desktops are licensed to run concurrently on the host computer, and three are already
running; two started by John Doe, and one by Jane Doe. Two are left to run.
Note: You can re-increment your license by killing desktops. To see how to do this, read Stopping VNC
Server on page93.
You can start VNC Server once in Service Mode. You can start VNC Server once in User Mode for the
currently logged on user account. And you can start VNC Server in Virtual Mode to create as many virtual
desktops as you need.
Once connected to VNC Server in:
User Mode or Service Mode, a user has the same privileges (that is, access rights) on the host computer
as the currently logged on user account. This need not be a user with administrative privileges even if
the credentials of one were supplied in order to authenticate to VNC Server; see Authenticating users on
page96 for more information. The opposite also holds true: a connected user has administrative
privileges if such a user account is currently logged on.
Virtual Mode, a user has the same privileges as the host computer user starting VNC Server,
irrespective of whether or not a user account is currently logged on.
Mac OS X
You can start VNC Server as many times as your license permits. Each time you do, one desktop is
consumed from your license. To see how many are left, run the command /Library/vnc/vnclicense check; see the UNIX section above for an explanation of the output.
You can start VNC Server once in Service Mode. You can start VNC Server once in User Mode for the
currently logged on user account. And you can start VNC Server in User Mode for other user accounts
providing Fast User Switching is turned on, and the StopUserModeOnSwitchOut VNC parameter is set to
False. See Appendix C, VNC Parameters on page153 for more information.
Once connected to VNC Server in either mode, a user has the same privileges (that is, access rights) on the
host computer as the currently logged on user account. This need not be a user with administrative
79
privileges even if the credentials of one were supplied in order to authenticate to VNC Server; see
Authenticating users on page96 for more information. The opposite also holds true: a connected user has
administrative privileges if such a user account is currently logged on.
In this example, display number 1 has been automatically assigned, corresponding to port 5901. To assign a
particular display number, declare it explicitly, for example:
vncserver-virtual :2
Specify VNC parameters in appropriate VNC configuration files, or at the command line when you start
VNC Server. See Specifying VNC parameters on page130 for more information.
Configure VNC Server as a connected user. To do this, start VNC Viewer and supply the network
address and display number (see the example output above). Once connected, (virtual) desktop artifacts
are available to help you work with VNC Server. See The VNC Server user interface on page82 for more
information.
80
Product updates to which you are entitled, if you have an Enterprise or a Personal license and a valid
support and upgrades contract; see Contacting Technical Support on page8.
If any appropriate downloads are detected, you are directed to visit the RealVNC web site.
Note: This is a secure web service and no personally identifiable information is collected or stored.
The first time you start VNC Server, you are asked whether you would like an automatic check to occur daily.
You can subsequently edit your choice on the Updates page of the VNC Server Options dialog. More on
this dialog.
To alter the frequency of the update check, specify the UpdateCheckFrequencyDays VNC Server
parameter.
In addition, or alternatively, users can perform a manual check by selecting Check for updates on the VNC
Server shortcut menu. More on this menu.
81
is displayed:
Under Windows, in the Notification area. Under Windows 7, this is hidden by default and accessible only
from
Under Windows XP, the icon may be hidden by other icons. Under Windows 8, the icon is not available
on the Start screen, only the Desktop application.
Note: Some versions of UNIX are not able to display a VNC Server icon.
Provides visual confirmation that VNC Server is running. If the icon is not available, then typically VNC
Server is not running.
Provides visual confirmation that VNC Server is configured correctly. If not, a red error glyph
Open the VNC Server dialog to begin diagnosing the problem. More on this dialog.
Confirms whether users are connected or not. When the first user connects, the icon is shaded black
When the last user disconnects, the icon reverts color again.
82
appears.
Provides convenient notification of the mode. Hover the mouse cursor over the icon:
Has a shortcut menu that performs useful operations. More on this menu.
(Note that menu options are disabled if they are not available.)
Note: The shortcut menu is also available from the More button on the VNC Server dialog. More on this
dialog.
The following table explains the purpose of each shortcut menu option.
Option
Purpose
Open
Work with VNC Server. See The VNC Server dialog on page84.
Information Center
Understand and resolve issues affecting VNC Server, and retrieve system diagnostics.
See Troubleshooting VNC Server on page87.
Options
Configure VNC Server. Note administrative privileges are required for VNC Server in
Service Mode. See Troubleshooting VNC Server on page87.
Connections
About
See version and trademark information, and a list of open source dependencies.
83
Option
Purpose
Disconnect all users. Note that, by default, users can immediately reconnect.
Guest Access
When turned on, and providing VNC Server is configured correctly, a Guest is allowed
to connect, bypassing VNC Servers authentication scheme. See Allowing a Guest to
connect on page103.
Not available for VNC Server with a Free license.
Chat
Chat with all connected users. See Communicating securely using chat on page69.
Not available for VNC Server with a Free license.
File Transfer
Send files to all connected users. See Transfering files between client and host
computers on page64.
Not available for VNC Server with a Free license.
Licensing
Apply a license key to VNC Server. See Licensing VNC Server on page74.
Check for crtical security patches and product updates. See Keeping VNC Server upto-date on page81.
Stop VNC Server, disconnecting all users. Note administrative privileges are required
for VNC Server in Service Mode. See also Stopping VNC Server on page93.
84
To open the VNC Server dialog, click its taskbar entry in the normal way for a program, or select Open from
the VNC Server shortcut menu. More on this menu.
The VNC Server dialog:
Confirms the license type and mode. See Confirming key information on page85.
Reveals whether VNC Server is ready to accept connections. See Troubleshooting VNC Server on
page87.
Provides information to help users connect. Start with Getting users connected on page85.
Displays the VNC Server catchphrase and signature. See Uniquely identifying VNC Server on page86.
Shows expiry dates for trials or support contracts. See Showing expiry dates on page87.
Note: The VNC Server dialog also has a More button providing access to the same features as the VNC
Server shortcut menu. More on this menu.
You can apply a license key at any time. See Licensing VNC Server on page74 for more information.
For more information on modes, start with Running multiple instances of VNC Server on page78.
In this picture, VNC Server is running on a host computer with a private network address of 192.168.5.54. In
addition:
VNC Server is listening for connections on port 5980. The port number is separated from the network
address by a single colon, which means it represents a port in the range 5901 to 5999. Note that:
If the port number is separated from the network address by two colons, it represents a port outside
the range 5900 to 5999, so for example 192.168.5.54::80 means VNC Server is listening on port 80.
If no port number is displayed, VNC Server is listening on the default port for VNC, 5900.
VNC Server with an Enterprise or a Personal license is serving VNC Viewer for Java on port 5880.
85
In this picture:
Two IPv6 network addresses are available. Note these are only valid in an IPv6-enabled environment.
The Bonjour or Avahi name is displayed. Note only Zeroconf-enabled applications such as VNC Viewer
for Android or VNC Viewer for iOS are able to discover VNC Server; VNC Viewer is not Zeroconfenabled in this release. Note this feature is also not available with a Free license.
When a user connects to VNC Server for the first time, they are asked to verify its identity. For more
information on this security feature, see Verifying the identity of VNC Server on page114.
86
Click the Details button to identify and manage connected users. The Connections tab of the Information
Center dialog opens:
Authenticated to VNC Server by supplying the credentials of the John Doe user account. For more
information on system authentication, start with Authenticating using system credentials on page96.
Has an administrative set of VNC permissions, permitting unrestricted access to remote control features
while the connection is in progress. For more information, see Restricting functionality for particular
connected users on page111.
If you are trialling VNC Server, you are informed when your trial expires.
If you have purchased VNC Server, you are informed when your support and upgrades contract expires.
A message indicates that, while VNC Server is configured correctly, some minor aspect could be improved.
87
A warning does not prevent users connecting, but indicates that some important aspect of VNC Server, such
as performance or security, could be improved.
The status bar turns red if there are errors:
You can:
Repair VNC Server. On the Issues tab, follow the instructions for each issue.
List all license keys applied to VNC Server, and the features provided by each, on the Licenses tab.
Send system diagnostics to Technical Support. On the Diagnostics tab, click the Save As button.
88
Find out the address of a router protecting the host computer in preparation for Internet connections. On
the Diagnostics tab, click the Test Internet Connection button. See Connecting over the Internet on
page28 for more information.
Note: The Information Center dialog is also available from the VNC Server shortcut menu. More on this
menu.
Note: To see how to configure VNC Server before it starts, or lock down the application to prevent changes,
start with Configuring VNC on page130.
To open the Options dialog, select Options from the VNC Server shortcut menu. More on this menu. Note
that for VNC Server in Service Mode, elevated privileges are required.
For information on some of the options in this dialog, see the subsequent sections in this chapter, starting
with Changing ports on page90. For security-related information, see Chapter 7, Making Connections
Secure on page95. For the Expert page, see .
89
Note that configuring an option affects all future connections. Unless otherwise stated in the sections that
follow, configuring an option affects currently connected users as well.
Changing ports
By default, VNC Server listens for VNC connection requests on a particular port. In addition, VNC Server
with an Enterprise or a Personal license listens for VNC Viewer for Java download requests on a different
port. You can change these ports, or make them the same.
Note: VNC Viewer for Java cannot be downloaded from VNC Server with a Free license. Upgrade to an
Enterprise or a Personal license if flexibility is important to you.
By default, two separate ports are assigned when VNC Server starts, one for VNC connections and one for
VNC Viewer for Java downloads:
VNC Server in both Service Mode and User Mode is assigned port 5900 for connections and port 5800
for downloads.
Under UNIX, the first instance of VNC Server in Virtual Mode is assigned port 5901 for connections and
port 5801 for downloads. Subsequent instances of VNC Server in Virtual Mode are assigned port
numbers incremented by one, where possible, for example 5902, 5903 (and 5802, 5803) and so on, up
to the maximum number of desktops permitted by the host computers license.
Note: For more information about running multiple instances of VNC Server, and the different modes, see
Running multiple instances of VNC Server on page78.
If more than one instance of VNC Server is running on a host computer, they must all listen on different
ports; see below for information on resolving port conflicts. Note, however, that a particular instance of VNC
Server can listen on the same port for VNC connections and for VNC Viewer for Java download requests;
see Making the connection and download port the same on page91 for more information.
Note: When connecting to VNC Server, a user must qualify the host computers network address with the
port number in all cases except when VNC Server is listening for VNC connections on port 5900 only. For
more information, see Qualifying a network address with a port number on page30.
90
Users need to know the new port number (if it is not 5900) in order to connect. For more information, see
Qualifying a network address with a port number on page30.
If the host computer is protected by a firewall, then the firewall must be configured to allow incoming
network communications to the new port. For more information, see Allowing network communications
through a firewall on page31.
If the host computer is protected by a router and users are connecting over the Internet, then the router
must be configured to forward communications to the new port. For more information, see Configuring a
router to forward network communications on page29.
To change the port, enter a different number in the Port field opposite Allow VNC connections. Note that
changing this option does not affect currently connected users.
Web browser users need to know the new port number in order to download. For more information, see
Qualifying a network address with a port number on page30.
If the host computer is protected by a firewall, then the firewall must be configured to allow incoming
network communications to the new port. For more information, see Allowing network communications
through a firewall on page31.
If the host computer is protected by a router and web browser users will connect over the Internet, then
the router must be configured to forward communications to the new port. For more information, see
Configuring a router to forward network communications on page29.
To change the port, enter a different number in the Port field opposite Serve VNC Viewer for Java. Note
that changing these options does not affect currently connected users.
91
Note: You can replace notifications with connection prompts that enable a host computer (or an alreadyconnected user) to accept or reject new users. For more information, see Preventing particular users
connecting on page108.
92
All modes and under all platforms except those below, select Stop VNC Server from the VNC Server
shortcut menu. More on this menu. Administrative privileges may be required.
Note: Under Windows, VNC Server in Service Mode will not automatically restart if you do this and then
reboot the host computer.
Service Mode under UNIX, run the appropriate command for your system, for example /etc/init.d/
vncserver-x11-serviced stop or systemctl stop vncserver-x11-serviced.service.
For more information, or to see how to prevent VNC Server starting again when the computer is
rebooted, visit www.realvnc.com/products/vnc/documentation/latest/reference/vncserver-x11serviced.html.
Virtual Mode under UNIX, run the command vncserver-virtual -kill :x, where x is the X
Window System display number. For more information, see Connecting to VNC Server in Virtual Mode
on page80.
All modes and under all platforms, when the host computer is powered down.
User Mode under all platforms, when the user account in which it was started is logged off.
Under Windows, VNC Server in User Mode stops automatically when the last user disconnects if the
When last user disconnects option is changed to Log the current user account off. For
more information, see Protecting privacy on page115.
A connected user can explicitly stop VNC Server in User or Virtual Mode.
A connected user can explicitly stop VNC Server in Service Mode if they have administrative privileges.
A connected user can log off and/or power down the host computer.
To see how to start VNC Server again, read Starting VNC Server on page75.
93
94
7
Making Connections Secure
VNC Server with an Enterprise or a Personal license authenticates connecting users and encrypts
connections end-to-end out-of-the-box. This chapter explains how to configure VNC Server to relax the
authentication and encryption rules if you consider it safe to do so. Conversely, you can tighten the
encryption rules for VNC Server with an Enterprise license, if necessary.
Note: VNC Server with a Free license can authenticate users but not encrypt connections. Upgrade to an
Enterprise or a Personal license if security is important to you.
This chapter also explains how to protect the host computer from accidental or malicious damage by users,
either by restricting their access to remote control features while connections are in progress, or by
preventing them connecting in the first place.
Contents
Authenticating users
96
96
98
99
101
104
105
109
114
Protecting privacy
115
95
Authenticating users
By default, all connecting users must authenticate to VNC Server. Note this is not the same as logging on to
a user account on the host computer, though the same credentials may be used for both operations.
By default, VNC Server with:
An Enterprise or a Personal license is set to use the system authentication scheme. This means that
connecting users can supply the same credentials they use to log on to the host computer in order to
authenticate to VNC Server. Note that user accounts must be registered with VNC Server. See
Authenticating using system credentials on page96.
A Free license is set to use the VNC authentication scheme. This means that connecting users must
supply a password specific to VNC. See Authenticating using a password specific to VNC on page98.
Relax the authentication rules for all connecting users. See Relaxing the authentication rules on
page99.
Allow particular users to bypass authentication. See Bypassing the authentication rules on page101.
Under any platform, of a local user account (that is, one set up directly on the host computer).
Under Windows and Mac OS X, providing the host computer is joined to a domain, of a domain user
account (one that is managed by a network service such as Active Directory). Note that prior
configuration is required to use domain accounts under UNIX; see Managing system authentication on
page141 for more information.
Under Windows 8, providing the host computer is connected to the Internet, of a cloud user account (that
is, a Microsoft account, in which the email address constitutes the user name).
Certain user accounts and groups are pre-registered with VNC Server, to enable basic connectivity out-ofthe-box. See Managing the list of registered user accounts and groups on page97 for more information.
Note: Under Windows, it is possible to create a local user account for a computer that does not have a
password set (this is likely for friends and family only). However, a connecting user cannot leave the VNC
Viewer Password field empty. Either change the authentication scheme, or specify a password for the local
user account (recommended).
96
Note that under any platform, the credentials supplied by a user in order to authenticate to VNC Server
determine the VNC permissions granted to that user. VNC permissions control the availability of remote
control features such as file transfer and chat while their connection is in progress. By default, an
administrative set of VNC permissions is granted. For more information on what this means, and to see how
to revoke VNC permissions in order to disable remote control features, see Restricting functionality for
particular connected users on page111.
Under each platform, system authentication is managed by an appropriately-named option in the Security >
Authentication dropdown of the Options dialog. More on this dialog.
Note: This option is called UNIX password and Mac password under their respective platforms.
In this example, the built-in Windows Administrators group is registered, which means that any user in
this group can authenticate to VNC Server. Note this group typically includes Domain Admins if the host
computer is joined to a domain.
97
Note: Guest access is disabled by default. See Allowing a Guest to connect on page103 for more
information.
The following table lists the pre-registered user accounts and groups for all platforms and modes, to enable
connectivity out-of-the-box:
Mode
Windows
Mac OS X
Service
Administrators group
admin group
UNIX
admin group
User
User account starting VNC Server User account starting VNC Server User account starting VNC Server
Virtual
To add a new user account or group, click the Add button, and follow the instructions. Note if you remove all
user accounts and groups from the list, connections cannot be established.
To specify a new or to change an existing password, open the Users & Permissions page, select the
Standard user, and click the Password button. Note that connecting users must supply this password in
order to authenticate to VNC Server, but need not provide a user name.
98
Note: VNC Server with a Free license does not support additional users. Upgrade to an Enterprise or a
Personal license if flexibility is important to you.
To do this, make sure VNC password is selected in the Security > Authentication dropdown, and open
the Users & Permissions page:
Note: Guest access is disabled by default. See Allowing a Guest to connect on page103 for more
information.
Click the Add button, and follow the instructions to create:
An administrative user. Connecting users must supply the user name Admin and the password you
specify in order to authenticate to VNC Server. These users can bypass connection prompts and, once
connected, can use all available remote control features. For more information on connection prompts,
see Preventing particular users connecting on page108.
A view-only user. Connecting users must supply the user name ViewOnly and the password you
specify in order to authenticate to VNC Server. Once connected, users can observe but not interact.
Personal
Free
YES
YES
YES
(default)
YES
YES
YES
99
Note that the domain accounts of all prospective users must be registered with VNC Server on the Users &
Permissions page:
See Managing the list of registered user accounts and groups on page97 for more information. Note that
VNC permissions are granted to each connected user in the same way as for system authentication.
100
Establish a reverse connection to a particular client computer. See Establishing a reverse connection on
page102.
If VNC Server has an Enterprise or a Personal license, allow a particular user to connect as a Guest.
See Allowing a Guest to connect on page103.
Clearly, you should only establish reverse connections to client computers with trustworthy prospective
users, and only allow trustworthy users to connect as Guests.
Note: If you are setting up VNC Server for unattended access, note that a host computer user must be
present for either of these features to work.
101
102
Note: If the Guest Access menu option is turned off, guests cannot connect. Note that other connected
users can turn this menu option on and off.
103
Connecting users must supply the user name Guest. There is no need to supply a password.
Unless you grant Administrative permissions to Guests, each is subject to a connection prompt,
giving the host computer (or an already-connected) user the ability to accept or reject the connection, or
make it view-only:
By default, if no response is received within ten seconds, the connection is automatically rejected. For more
information on connection prompts, see Preventing particular users connecting on page108.
Relax the encryption rules if you are sure all potential client computers are within a secure network
environment, and that eavesdropping is impossible. This may improve performance. It may also allow
older versions of VNC Viewer, or VNC-compatible Viewer technology, that do not support encryption to
connect.
Note: Even if encryption is turned off, a password supplied by a connecting user in order to authenticate
to VNC Server is always encrypted.
Tighten the encryption rules by increasing the AES key size to 256-bit. This makes connections ultrasecure, but may impact performance slightly. It also means only VNC Viewer 4.6 or later can connect.
For VNC Server with a Personal license, you can only relax the encryption rules; 256-bit AES encryption is
not available. Upgrade to an Enterprise license if maximum security is important to you.
104
To change the encryption rules, select an alternative to the default Always on option from the Security >
Encryption dropdown of the Options dialog. More on this dialog.
Choose:
Always maximum to specify 256-bit AES. Note that only VNC Viewer 4.6 or later can connect. A
connecting user cannot request that encryption be turned off, or the AES key size be reduced to 128-bit.
Prefer on to prefer, though not mandate, that connections be encrypted using 128-bit AES. A
connecting user can request either that encryption be turned off (by selecting Prefer off in the VNC
Viewer dialog), or the AES key size be increased to 256-bit (by selecting Always maximum in the VNC
Viewer dialog).
Prefer off to prefer, though not mandate, that connections be unencrypted. Choose this option to
allow older versions of VNC Viewer, or VNC-compatible Viewer technology, to connect. A connecting
user can request that encryption be turned back on, either to 128-bit AES (by selecting Prefer on or
Always on in the VNC Viewer dialog), or to 256-bit AES (by selecting Always maximum in the VNC
Viewer dialog).
For more information about requesting encryption in the VNC Viewer dialog, see Step 4: Request an
encrypted connection on page22.
If VNC Server has an Enterprise or a Personal license, web browser users can download VNC Viewer for
Java and use it to connect.
You can:
Prevent all incoming connections (reverse connections can still be established). See Preventing all
incoming connections on page106.
Prevent connections from particular client computers. See Preventing connections from particular client
computers on page106.
Prevent particular users connecting. See Preventing particular users connecting on page108.
105
To:
Prevent all incoming connections, including VNC Viewer for Java downloads, turn off Allow VNC
connections over TCP.
Prevent just VNC Viewer for Java downloads, turn off Serve VNC Viewer for Java.
Note that:
You can still use VNC Server to establish reverse connections to client computers. See Establishing a
reverse connection on page102 for more information.
106
By default, connections are accepted from all client computers. To filter one or more computers:
1. Open the Connections page of the Options dialog. More on this dialog.
3. Specify a IPv4 network address, or range of addresses, and then choose one of the following options:
To:
Choose:
107
To:
Choose:
Note that if you create multiple filter rules, their order in the list on the Connections page is important. The
first matching rule determines what happens to a particular client computer. For example, if a rule rejecting a
client computer is encountered before one accepting it, then all connections from that client computer will be
rejected. You can move rules up and down in the list using the arrows.
By default, the Default rule accepts connections from all client computers. You can change this so that it
rejects or queries all connections instead. To do this, select the Default rule, and click the Edit rule button.
Note this rule is always last in the list.
A connection prompts enables a host computer (or an already-connected) user to identify a connecting user
and either accept or reject their connection, or make it view-only. By default, if no response is received within
ten seconds, the connection is automatically rejected. Note if you are setting up VNC Server for unattended
access then enabling this feature may prevent users connecting.
Note: In some circumstances, certain users are able to bypass connection prompts. To see how to subject
these users to prompts, read Restricting functionality for particular connected users on page111.
108
To show connection prompts, turn on Show accept/reject prompt for each connection on the
Connections page of the Options dialog. More on this dialog.
Note: This option has a slightly different name under VNC Server in Virtual Mode.
Copy and paste text between applications running on the host and their client computer.
If VNC Server has an Enterprise or a Personal license, connected users can also:
Chat with other users connected to the same host computer, or with a host computer user.
Print to a local printer (that is, one connected to the client computer).
You can:
Restrict functionality for all connected users. See Restricting functionality for all connected users on
page110.
For VNC Server with an Enterprise or a Personal license, restrict functionality for particular connected
users. See Restricting functionality for particular connected users on page111.
109
(VNC Server with an Enterprise or a Personal license. A Free license has fewer features.)
110
Single sign-on; see Authenticating users automatically on page100 (Enterprise licenses only)
then a configurable set of VNC permissions is granted to each user account registered with VNC Server, or
to all the user accounts in a registered group.
Note: Configurable permissions are not available for the VNC authentication scheme. Choose a different
scheme, or upgrade from VNC Server with a Free license.
To see the list of registered user accounts and groups, open the Users & Permissions page of the Options
dialog. More on this dialog.
In this example, the built-in Windows Administrators group grants an administrative set of permissions
to all users in the group. For more information, and to see which user accounts and groups are preregistered with VNC Server, read Managing the list of registered user accounts and groups on page97.
To change the permissions granted by a particular user account or group, select it in the list and, from the
Permissions dropdown, choose either:
Normal permissions to grant connected users access to all remote contol features.
Administrative permissions to allow connecting users to bypass connection prompts, and then
grant access to all remote control features.
111
To:
Grant permission to use a particular feature, turn on Allow. If a group is selected, this can be overridden
for an individual member by turning on Deny.
Disallow permission to use a feature, turn off Allow. If a group is selected, this can be overridden for an
individual member by turning on Allow or Deny.
Note that:
Omitting to grant the View the desktop permission means connected users see only a blank screen.
Granting permission to use the following features has no effect if those features are disabled globally:
Control desktop using keyboard
Control desktop using mouse
Copy and paste text in either direction
Chat with other users
Transfer files in either direction
Print to a local printer
See Restricting functionality for all connected users on page110 for more information.
112
Consider the following example of a registered Domain Admins group consisting of two user accounts,
johndoe and janedoe. The johndoe user account is also registered separately, for fine-grained control:
The following table explains for whom the printing feature is available given that johndoe inherits
permissions from Domain Admins, but can override these in certain circumstances:
Is printing available?
johndoe
Allow
Domain Admins
Allow
Deny
Allow
YES
janedoe: YES
johndoe: NO
janedoe: YES
johndoe: NO
Allow
janedoe: NO
johndoe: YES
NO
NO
Deny
NO
NO
NO
113
Under Windows and Mac OS X, this signature uniquely identifies a particular instance of VNC Server
running on a host computer.
Under UNIX, this signature is shared by all instances of VNC Server started by the same computer user.
Note: This feature is not available for VNC Server with a Free license. Upgrade to an Enterprise or a
Personal license if security is important to you.
The VNC Server signature and catchphrase (a more-memorable version of the signature) are displayed in
the Get Started area of the VNC Server dialog. More on this dialog.
When a user connects from a particular client computer for the first time, the signature and catchphrase are
published. The user is asked to verify that the information they see matches that of VNC Server; see
Checking the identity of VNC Server on page24 for more information.
A VNC Server signature should not change. The next (and all subsequent) times a user connects from the
same client computer, the signature is not published. If the signature changes, it may be because a third
party is interrupting the connection between client and host computers and eavesdropping on
communications a so-called man-in-the-middle attack. If a user sees a message similar to the following:
114
Protecting privacy
By default, VNC Server promotes sharing. That is to say, multiple users can connect at the same time, all
connected users can observe each others operations, and if a host computer user is present, then that user
can observe the operations of connected users.
Note: To allow only one connection at a time, specify VNC Server parameters; start with AlwaysShared in
VNC Server parameters on page155 for more information.
Under some platforms, you can configure VNC Server to uphold other aspects on the Privacy page of the
Options dialog. More on this dialog.
To:
Prevent a host computer user observing the operations of connected users, turn on Blank screen while
users are connected (Windows only; not available under Windows 8).
Prevent a host computer user interrupting the operations of connected users, turn on Disable keyboard
and mouse while users are connected (Windows only).
Protect the host computer when no connections are in progress, select an appropriate option from the
When last user disconnects dropdown (Windows and Mac OS X 10.5+; VNC Server in Service Mode
only).
For more information on notification messages, see Notifying when users connect on page92.
115
116
A
Saving Connections
This appendix explains how to use VNC Viewer to save connections so you can quickly connect to favorite
host computers again with just a few mouse clicks.
Note: You can save connections to desktop icons. You can save connections to VNC Address Book if you
installed VNC on the client computer. See Setting up the client computer on page12 for more information.
A saved connection remembers the network address of the host computer and the authentication
credentials required to connect to VNC Server, so you do not have to, and automatically recreates your
preferred working environment each time.
Contents
Saving connections to VNC Address Book
118
123
124
127
117
Choose:
Dont save VNC Server password in order to forget the password. You will need to enter it each
time you use VNC Address Book to connect.
Save VNC Server password to save the password in obfuscated, though not encrypted, form. You
will no longer need to remember the password. However, since the connection will not be protected
by the VNC Address Book master password, any other user of your client computer will also be able
to connect.
Encrypt VNC Server password to create a protected connection in which the password is both
saved and encrypted. You will no longer need to remember it. You will, however, have to enter the
118
VNC Address Book master password in order to connect (and also to edit the connection). Note that
a protected connection is identified by a padlock symbol
2. Click the OK button. If you chose to create a protected connection, and this is the first time you have
used VNC Address Book, you are prompted to specify a master password:
To see how to use VNC Address Book to connect to this host computer again, read Using VNC Address
Book to connect on page123.
For more information on editing and organizing connections, start with Organizing connections on
page125.
119
120
3. Enter a network address for the host computer in the VNC Server field (including a port number if necessary), choose an Encryption option (or retain the default) and, optionally, specify your VNC Server
user name and password in the Authentication area. To see how to find out this information, start with
Step 3: Identify VNC Server running on the host computer on page21.
By default, VNC Address Book creates a protected connection. This means you must enter the VNC
Address Book master password in order to connect to the host computer, and also to edit the
connection. A protected connection is identified by a padlock symbol
Note: Turn off Encrypt password (recommended) if you do not want to enter the VNC Address Book
master password in order to connect. Note this may constitute a security risk if others use your client
computer.
You can optionally edit VNC Viewer options in order to set up your preferred environment for controlling
this host computer. To do this, use the Basic tab to configure common options, or click the Advanced
button to see all the tabs. For more information, start with Configuring VNC Viewer before you connect
on page37.
121
4. Click the OK button. If you chose to create a protected connection, and this is the first time you have
used VNC Address Book, you are prompted to specify a master password:
To see how to use VNC Address Book to connect to this host computer, read Using VNC Address Book to
connect on page123.
For more information on editing and organizing connections, start with Organizing connections on
page125.
122
2. Either:
Double-click a connection in the Alphabetic or Hierarchical list.
Select a connection in a list and click the Connect
toolbar button.
You may be required to enter the VNC Address Book master password in order to connect. For more
information, see Working with the master password on page126.
Under Windows, when VNC Address Book starts, a VNC Address Book icon
is displayed in the
Notification area. This icon provides further options for quickly and conveniently connecting to host
computers. For more information, see Working with VNC Address Book on page124.
123
Under Windows, select RealVNC > VNC Address Book from the Start menu.
Note: Under Windows, you can start VNC Address Book automatically when the computer is powered
on. To do this, select Tools > Options and, in the UI behavior area, turn on Start with Windows.
Under UNIX, select Applications > Internet > VNC Address Book from the menu system, or search for
this application using the standard operating system facility.
Note: If no menu system or search facility is available, open a Terminal window and run the command
vncaddrbook. Note you should not do this as a user with administrative privileges.
Under Mac OS X, navigate to Applications > RealVNC, and double-click VNC Address Book.
is displayed in the
to the right of the
Provides visual confirmation that VNC Address Book is running on the client computer. If the icon is not
available, then VNC Address Book is not running.
124
The following table explains the effect of selecting each VNC Address Book shortcut menu option.
Option
Purpose
Connect to
Start VNC Viewer, enabling you to connect to a new host computer in the standard
way. For more information, see Connecting to a host computer on page39.
Create new connections or edit and organize existing ones. (Alternatively, double-click
the VNC Address Book icon to open the VNC Address Book dialog.)
Exit
Organizing connections
VNC Address Book organizes connections both alphabetically and hierarchically:
You can reorganize connections in the Hierarchical list. (The Alphabetic list is automatically organized.)
Click the New Folder
toolbar button to create folders in the Hierarchical list. You can drag-and-drop
connections to, from, and between folders. Note that if you delete a folder, all connections in that folder are
deleted too.
Editing connections
You can edit an existing connection. Note you may be required to enter the VNC Address Book master
password first.
To do this, select a connection in the Alphabetic or Hierarchical list, and either:
toolbar button.
For more information on editing VNC Viewer options, start with Configuring VNC Viewer before you connect
on page37.
To rename a connection in VNC Address Book, select it in the Alphabetic or Hierarchical list and select
Edit > Rename, or right-click and select Rename from the shortcut menu.
125
Sharing connections
You can share one or more connections with other fully-featured VNC Viewer users. Note that VNC Server
passwords are also shared, albeit in obfuscated or encrypted form.
To share:
All VNC Address Book connections, select Tools > Export Address Book.
A single connection, right-click it in the Alphabetic or Hierarchical list and, from the shortcut menu,
select Export.
Choose a location for the exported file. If the file contains a protected connection (one in which the VNC
Server password was saved and encrypted), the recipient will need your VNC Address Book master
password in order to import it.
You can import one or more connections shared by other fully-featured VNC Viewer users. To do this, select
Tools > Import Address Book, and select the file to import. If the file contains a protected connection, you
will need the VNC Address Book master password of the user who created the file in order to import it.
Removing connections
To remove a connection, select it in the Alphabetical or Hierarchical list, and either:
toolbar button.
Tools > Forget Master Password to require the entry of the master password for the next operation on
a protected connection.
Tools > Options and, in the Master password area, turn off Remember for to require the entry of the
master password for all future operations on protected connections. (Alternatively, you can decrease the
length of time the master password is remembered.)
Note: The Status Bar reports Master Password: Stored if you do not currently need to enter the
master password, and Master Password: Required if you do.
126
To change the master password, select Tools > Options and, in the Master password area, click the
Change button.
A desktop icon provides an extremely quick and convenient way of connecting to a host computer. Simply
double-click the icon to connect. Your preferred VNC Viewer environment for controlling the host computer is
automatically recreated.
Note: You may need to associate the desktop icon with the VNC Viewer executable file the first time you
double-click an icon connect.
To save the current connection as a desktop icon:
1. Click the Save Connection
Note: If VNC Address Book is installed on the client computer, you must first disable it. To do this, click
the Options
VNC Viewer toolbar button to open the Options dialog and, on the Expert tab, set the
UseAddrBook parameter to False.
2. If you entered a password in order to connect to VNC Server, you are prompted to save the password.
Note that doing so may constitute a security risk, since the password is saved in obfuscated, though not
encrypted, form. If you do not save the password, you must enter it each time you connect.
3. Choose a location to save the icon file to (for example, the desktop), and an intuitive name.
127
128
B
Setting Up VNC
This appendix explains to system administrators how to set up and configure VNC applications for multiple
users in an enterprise environment.
Note an Enterprise license to use VNC Server is required for many features.
Contents
Configuring VNC
130
130
136
138
141
143
145
Logging information
148
Removing VNC
150
129
Configuring VNC
VNC applications can be configured in almost any way to suit your requirements and environment.
Specify...
To configure...
YES
YES
YES
You can:
Configure VNC applications on the same computer on which applications are installed; start with
Specifying VNC parameters on page130.
Remotely configure and lock down VNC applications using policy; start with Preventing users
configuring VNC on page138.
Remotely configure VNC applications on Windows computers using VNC Deployment Tool; visit
www.realvnc.com/products/vnc/deployment/vnctool/.
Host certain VNC applications on a UNIX network share and specify a single set of preferences
centrally; see Hosting VNC on a UNIX network share on page145.
Before the application starts. See Configuring VNC applications before they start on page131.
While the application is running, and connections are in progress. See Reconfiguring running VNC
applications on page134.
130
Windows
UNIX
Mac OS X
Prior to start-up
Registry keys
(page 131)
Command line
Command line
Command line
Registry keys
Note that parameters are applied in the order listed in the table above, so that a parameter set by policy
overrides the same parameter specified at the command line, which in turn overrides the same parameter
specified prior to start up. Note that parameters set by policy cannot be changed by users. See the sections
below for more information.
Notes
VNC Server in
Service Mode
HKLM\Software\RealVNC\vncserver
HKLM\Software\Policies\RealVNC\vncserver
VNC Server in
User Mode
HKCU\Software\RealVNC\vncserver
<parameters at the command line>
HKCU\Software\Policies\RealVNC\vncserver
VNC Viewer
HKCU\Software\RealVNC\vncviewer
<parameters at the command line>
HKCU\Software\Policies\RealVNC\vncviewer
For example, to specify the Log parameter for VNC Server in Service Mode:
1. Using Registry Editor, navigate to HKEY_LOCAL_MACHINE\Software\RealVNC\vncserver.
2. Select New > String Value from the shortcut menu, and create Log.
3. Select Modify from the shortcut menu, and specify appropriate Value data, for example *:file:100.
Note: All VNC parameters take string values, even boolean parameters.
131
Notes
VNC Server in
User Mode
(vncserverX11)
/etc/vnc/config.d/common.custom
/etc/vnc/config.d/vncserver-x11
~/.vnc/config.d/common
~/.vnc/config.d/vncserver-x11
<parameters at the command line>
/etc/vnc/policy.d/common
/etc/vnc/policy.d/vncserver-x11
VNC Server in
Service Mode
daemon
(vncserverX11-serviced)
/etc/vnc/config.d/common.custom
/etc/vnc/config.d/vncserver-x11-serviced
/root/.vnc/config.d/common
/root/.vnc/config.d/vncserver-x11-serviced
<parameters at the command line>
/etc/vnc/policy.d/common
/etc/vnc/policy.d/vncserver-x11-serviced
VNC Server in
Virtual Mode
(Xvnc, via
vncservervirtual or
vncserver)
/etc/vnc/config.d/common.custom
/etc/vnc/config.d/Xvnc
~/.vnc/config.d/common
~/.vnc/config.d/Xvnc
<parameters at the command line>
/etc/vnc/policy.d/common
/etc/vnc/policy.d/Xvnc
VNC Server in
Virtual Mode
daemon
(vncservervirtuald)
/etc/vnc/config.d/common.custom
/etc/vnc/config.d/vncserver-virtuald
/root/.vnc/config.d/common
/root/.vnc/config.d/vncserver-virtuald
<parameters at the command line>
/etc/vnc/policy.d/common
/etc/vnc/policy.d/vncserver-virtuald
VNC Viewer
(vncviewer)
132
/etc/vnc/config.d/common.custom
/etc/vnc/config.d/vncviewer
~/.vnc/config.d/common
~/.vnc/config.d/vncviewer
<parameters at the command line>
/etc/vnc/policy.d/common
/etc/vnc/policy.d/vncviewer
Mac OS X
Notes
VNC Server in
Service Mode
/etc/vnc/config.d/common.custom
/etc/vnc/config.d/vncserver
/var/root/.vnc/config.d/common
/var/root/.vnc/config.d/vncserver
/etc/vnc/policy.d/common
/etc/vnc/policy.d/vncserver
VNC Server in
User Mode
VNC Viewer
/etc/vnc/config.d/common.custom
/etc/vnc/config.d/vncserver
~/.vnc/config.d/common
~/.vnc/config.d/vncserver
<parameters at the command line>
/etc/vnc/policy.d/common
/etc/vnc/policy.d/vncserver
/etc/vnc/config.d/common.custom
/etc/vnc/config.d/vncviewer
~/.vnc/config.d/common
~/.vnc/config.d/vncviewer
<parameters at the command line>
/etc/vnc/policy.d/common
/etc/vnc/policy.d/vncviewer
When VNC is installed, /etc/vnc/config.d/common is created. This file is reserved for use by RealVNC.
To specify parameters for all VNC applications for all user accounts on the computer, create the following
file:
/etc/vnc/config.d/common.custom
To specify parameters for all VNC applications for a particular user account, create the following file:
~/.vnc/config.d/common
Note: ~ is the root user account for certain applications; see the tables above.
Other VNC configuration files are application-specific. For example, to specify parameters for VNC Server in
User Mode for all user accounts on a UNIX computer, create the following file:
/etc/vnc/config.d/vncserver-x11
To specify parameters for VNC Server in User Mode for a particular user account, create the following file:
~/.vnc/config.d/vncserver-x11
Note this is the file updated by the Options dialog; see Using the Options dialog on page135.
133
Each parameter in a VNC configuration file should be on a separate line; white space and comments are
stripped, and environment variables expanded for parameters that accept them. For example:
#This is a comment
Desktop="Build machine"
UserPasswdVerifier=VncAuth
SecurityTypes=RA2ne,RA2
RsaPrivateKeyFile=$HOME/secure/vnc
Permissions=admin:f;vncusers:d;guests:v
The Options dialog does not reflect your choices, which may confuse users.
Under UNIX and Mac OS X, parameters may be overridden if a running application is reloaded; see
Reconfiguring running VNC applications on page134.
Note: RealVNC recommends specifying parameters either in the Windows Registry/VNC configuration files
or at the command line, but not both.
For convenience, if you have many command line parameters to specify, you can populate a text file (one
parameter per line; omit the dash) and reference it using the -vncconfigfile option, for example:
vncserver-x11 -vncconfigfile /my/command/line/parameter/file
Any VNC application using its Options dialog, if it has one; see Using the Options dialog on page135.
Note that most changes take effect immediately. Changes to a few parameters, however, require all
connections to be terminated, and changes to a very small minority require the application to be restarted.
See Chapter C, VNC Parameters on page153 for more information.
134
The Options dialog for VNC Server in Service Mode requires elevated privileges.
The Options dialog for VNC Server in Virtual Mode is only available to connected users; see Working
with VNC Server in Virtual Mode on page80.
The Options dialog can be hidden from users; see Mitigating against change on page140.
Changes made in an Options dialog automatically update a particular Registry key or VNC configuration
file; see the tables below. When the OK or Apply button is clicked, all Registry keys or VNC configuration
files for that application are then reloaded.
Windows
VNC application
HKLM\Software\RealVNC\vncserver
HKCU\Software\RealVNC\vncserver
VNC Viewer
HKCU\Software\RealVNC\vncviewer
See this table on page131 for a complete list of Registry keys and the order in which they are applied.
UNIX
VNC application
~/.vnc/config.d/vncserver-x11
/root/.vnc/config.d/vncserver-x11
~/.vnc/config.d/Xvnc
VNC Viewer
~/.vnc/config.d/vncviewer
See this table on page132 for a complete list of VNC configuration files and order in which they are applied.
Mac OS X
VNC application
/var/root/.vnc/config.d/vncserver
~/.vnc/config.d/vncserver
VNC Viewer
~/.vnc/config.d/vncviewer
See this table on page133 for a complete list of VNC configuration files and order in which they are applied.
135
To reload all running instances of VNC Server for the current user, in any mode, run the command
vnclicense -reload. To reload all running instances of VNC Server in any mode for all users, run
the same command with elevated privileges.
An X server, with a virtual display. To configure it, specify Xvnc options; run the command vncservervirtual -list to see a list of valid options, and examine the output at the top. Note that many of
these options may also be valid for your actual X server; run the command man Xserver for a more
detailed explanation of shared options.
A standard VNC server. To configure it, specify VNC parameters in the same way as for any other VNC
application; start with Specifying VNC parameters on page130.
To compare VNC Server modes, consult Running multiple instances of VNC Server on page78.
136
137
An Enterprise license, you can set policy to lock down any VNC application to prevent change. See
Setting policy to lock down VNC applications on page138.
A Personal or a Free license, you can set policy to lock down VNC Viewer. You cannot lock down VNC
Server, though you can make it harder to change. See Mitigating against change on page140.
Multiple computers with a mix of license types, you can lock down VNC Server on computers that have
an Enterprise license, and then prevent VNC Server running on computers that have a Personal and a
Free license. For more information, visit www.realvnc.com/products/vnc/deployment/policy/.
VNC application
HKLM\Software\Policies\RealVNC\vncserver
HKCU\Software\Policies\RealVNC\vncserver
VNC Viewer
HKCU\Software\Policies\RealVNC\vncviewer
It is possible to create policy Registry keys manually; see Populating the Windows Registry with VNC
parameters on page131. However, RealVNC recommends downloading policy template files, making the
necessary edits, and then using Microsoft tools such as Group Policy to distribute GPOs to target
computers.
Note: Set appropriate permissions on HKLM\Software\Policies\RealVNC and
HKCU\Software\Policies\RealVNC to ensure users cannot edit policy Registry keys.
138
UNIX
VNC application
Notes
/etc/vnc/policy.d/vncserver-x11
VNC Server in
Service Mode
/etc/vnc/policy.d/Xvnc
/etc/vnc/policy.d/vncserver-virtuald
VNC Viewer
/etc/vnc/policy.d/vncviewer
It is possible to create policy VNC configuration files manually; see Populating VNC configuration files with
VNC parameters on page132. However, RealVNC recommends downloading policy template files, making
the necessary edits, and then distributing files to the /etc/vnc/policy.d directory of target computers.
Note: Set appropriate ownership or permissions on the /etc/vnc/policy.d directory to ensure users
cannot edit policy VNC configuration files.
Mac OS X
VNC application
/etc/vnc/policy.d/common
/etc/vnc/policy.d/vncserver
VNC Viewer
/etc/vnc/policy.d/vncviewer
It is possible to create policy VNC configuration files manually; see Populating VNC configuration files with
VNC parameters on page132. However, RealVNC recommends downloading policy template files, making
the necessary edits, and then distributing files to the /etc/vnc/policy.d directory of target computers.
Note: Set appropriate ownership or permissions on the /etc/vnc/policy.d directory to ensure users
cannot edit policy VNC configuration files.
139
Note: Under UNIX and Mac OS X, you can disable the Options dialog for all modes and users by specifying
the DisableOptions parameter in a global location such as /etc/vnc/config.d/common.custom.
140
Windows
Registry key
Notes
HKEY_LOCAL_MACHINE\Software\RealVNC
HKEY_CURRENT_USER\Software\RealVNC
UNIX
Directory or file
Notes
/etc/vnc/config.d/
/etc/vnc/config
/etc/vnc/config.custom
/root/.vnc/config.d/
~/.vnc/config.d/
~/.vnc/config
For each user account running VNC Server in Virtual Mode only.
Mac OS X
Directory
Notes
/etc/vnc/config.d/
/var/root/.vnc/config.d/
~/.vnc/config.d/
Under Solaris, HP-UX, and older versions of Linux: /etc/pam.conf (see lines starting vncserver).
141
Note: Under AIX, VNC Server uses LAM by default; contact Technical Support for more information. To use
PAM, specify the UsePam parameter; see Appendix C, VNC Parameters on page153.
To check credentials against an LDAP or an Active Directory password store:
1. Obtain a PAM library that provides this functionality, for example libpam-krb5.so. Running the
command vncinitconfig -pam may help find a suitable library already in use on your system.
2. Reference that library, and specify appropriate account and authentication rules, in the following file:
For platforms using /etc/pam.d/vncserver, in /etc/pam.d/vncserver.custom. Create this
file if it does not exist.
For platforms using /etc/pam.conf: edit this same file to create vncserver.custom rules
pointing to the new PAM library.
3. In an appropriate system-wide VNC configuration file (for example /etc/vnc/config.d/common.custom), specify the following VNC parameter to register your changes with VNC Server:
PamApplicationName=vncserver.custom
For more information on VNC configuration files, see Configuring VNC applications before they start on
page131. For more information on this parameter, see Appendix C, VNC Parameters on page153.
Note that a suitable PAM library for your platform may already be installed on the host computer, and
appropriate account and authentication rules specified. For example, if your system has been Kerberized, or
third party software such as Centrify or PowerBroker Identity Services installed to integrate with Active
Directory, then you may be able to simply reference changes already made. For example, under Debiancompatible Linux, you may be able to edit /etc/pam.d/vncserver.custom as follows:
@include common-auth
@include common-account
@include common-session
For Red Hat-compatible Linux, the equivalent edits might be:
auth
account
session
include
include
include
password-auth
password-auth
password-auth
The user interface; see Managing the list of registered user accounts and groups on page97.
You may need to qualify user names with the domain name, for example DEV.ACMECORP.COM\johndoe.
Note that connecting users may also need to supply the user name qualified in this way too.
142
All prospective client and host computers must be joined to the same domain (a network managed by a
domain controller, running specialized software such as Kerberos or Active Directory).
All prospective VNC Viewer users must log on to their client computers using the credentials of domain
accounts; that is, of user accounts managed by the domain controller.
A fallback authentication scheme must be provided in case single sign-on fails for any reason. See
Providing a fallback scheme on page144.
143
6. Under Mac OS X 10.7 onwards, use Directory Utility (/System/Library/CoreServices/Directory Utility.app) to ascertain the service principal name of the host computer as it is registered
with the domain controller, for example:
144
under Mac OS X. Alternatively, you may be able to obtain one by installing third party software such as
PowerBroker Identity Services or Centrify, designed to integrate with Active Directory.
4. Under UNIX and Mac OS X, create an /etc/vnc/ssolib symbolic link pointing to the location of the
GSSAPI-compatible library (above).
5. Make sure VNC Viewer is set to use single sign-on, by either:
Setting the SingleSignOn VNC parameter to TRUE; see Appendix C, VNC Parameters on
page153.
Turning on Use single sign-on if VNC Server supports it in the VNC Viewer Options dialog); see
page 38.
A domain license key is required for VNC Server. Contact RealVNC for more information.
VNC Server in Service Mode (vncserver-x11-serviced) and the VNC Server in Virtual Mode
daemon (vncserver-virtuald) cannot be served.
If system authentication is specified, connecting users can only authenticate using the credentials of the
host computer user starting VNC Server. The credentials of other local user accounts registered using
the Permissions VNC parameter are ignored.
The vncserver symlink is not available to start VNC Server in Virtual Mode out-of-the-box.
145
Note: This path is extracted from the X server of the hosting computer. If computers from which
applications will be run have a different X server configuration, it may be necessary to create an /etc/
vnc/config.custom file on each, and populate it with the Font Path output of the command xset
-q.
5. Run the command vncinitconfig -xstartup to generate a start up script for virtual desktops, and
move the resulting /etc/vnc/xstartup file to <install dir>/vnc.
6. On computers from which applications will be run, mount <install dir> read-only, and add the location to
users paths.
<install dir>/vnc/config.d/common.custom
<install dir>/vnc/config.d/vncserver-x11
<install dir>/vnc/config.d/Xvnc
VNC Viewer
(vncviewer)
<install dir>/vnc/config.d/vncviewer
<install dir>/vnc/policy.d/common
<install dir>/vnc/policy.d/vncserver-x11
<install dir>/vnc/policy.d/Xvnc
<install dir>/vnc/policy.d/vncviewer
146
written to VNC configuration files in ~/.vnc/config.d, and reloaded each time the applications run.
To prevent this, set policy.
If computers running VNC applications have VNC configuration files stored locally in /etc/vnc/
config.d (perhaps because VNC was previously installed), VNC parameters in those files override the
same parameters specified in <install dir>/vnc/config.d. To prevent this, remove this directory from
affected computers, or set policy.
If computers running VNC applications have policy set locally in /etc/vnc/policy.d (perhaps
because VNC was previously installed), VNC parameters in those files override the same parameters
specified in <install dir>/vnc/policy.d. To prevent this, remove this directory from affected
computers.
If computers running VNC Server in Virtual Mode have either the /etc/vnc/config or /etc/vnc/
config.custom Xvnc configuration files stored locally (perhaps because VNC was previously
installed), Xvnc options in these files override the same options specified in <install dir>/vnc/
config.custom. To prevent this, remove these files from affected computers.
If individual users have a ~/.vnc/config Xvnc configuration file stored locally (perhaps because VNC
was previously installed), Xvnc options in this file override the same options specified in <install dir>/
vnc/config.custom. To prevent this, remove this file from affected computers.
147
Logging information
By default, VNC Server and VNC Viewer record basic information about connection activity. You can
increase the amount of information recorded, change the type of activity, or alter the destination. In addition,
you can start recording information about other VNC applications and processes.
The following table lists the default destinations for VNC Server and VNC Viewer log output:
Application
Windows
Mac OS X
UNIX
VNC
Server
Service Mode
Event Log
(see note 3)
/Library/Logs/
vncserver.log
/var/log/vncserverx11.log
User Mode
C:\Users\<user>\
AppData\Local\
RealVNC\vncserver.log
(see note 4)
~/Library/Logs/
vnc/vncserver.log
~/.vnc/vncserverx11.log
Virtual Mode
Standard Error
(see note 5)
Virtual Mode
daemon
/var/log/vncservervirtuald.log
(see also note 6)
Standard Error
Standard Error
Standard Error
VNC Viewer
148
You can apply parameters to the following applications and sub-processes by creating special keys in the
Windows Registry. Alternatively, for some applications, you can apply parameters at the command line.
Application or sub-process
Registry key
VNC Server
Registry
Licensing
Service
Mode
Service
vncserver-sservice
User interface
vncserverui-service
User Mode
User interface
vncserverui-user
(command line)
vnclicense
(Wizard)
vnclicensewiz
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
Registry or
command line
vncaddrbook
For example, to create a log file for the VNC Server in Service Mode service:
1. Using Registry Editor, navigate to HKEY_LOCAL_MACHINE\Software\RealVNC.
2. Select New > Key from the shortcut menu, and create vncserver-sservice.
3. Select New > String Value from the shortcut menu, and create Log.
4. Select Modify from the shortcut menu, and specify appropriate Value data, for example *:file:100.
149
Repeat steps 3 and 4 for the LogFile and LogDir parameters, if necessary. Restart the service to create
the new log file.
To create a log file for an application at the command line, apply parameters before any command, for
example:
vnclicense.exe -Log=*:file:100 -LogFile=license.log -add <key>
UNIX
You can apply parameters to the following applications when run from the command line:
vnclicense, vnclicensewiz, vncaddrbook
Do so before any command, for example:
vnclicense -Log=*:file:100 -LogDir=/home/dev/logs -add <key>
Mac OS X
You can apply the logging parameters to the following applications when run from the command line:
vnclicense, vnclicensewiz
Do so before any command, for example:
/Library/vnc/VNC\ Server\ Licensing.app/Contents/MacOS/vnclicensewiz
-Log=*:file:100
Note: Two files are created for the VNC Server Licensing Wizard: ~/Library/Logs/vnc/
vnclicensewiz.log and /Library/Logs/vnclicensewiz_helper.log.
Removing VNC
To completely remove VNC, first run the VNC uninstaller(s) in the standard way for your operating system.
Follow the appropriate instructions at www.realvnc.com/products/vnc/documentation/latest/installingremoving/.
The VNC uninstaller(s) remove all program files, and security-related files and settings. This section lists the
(benign) files and settings that remain. It assumes an original installation to the default location.
150
Windows
Notes
HKEY_LOCAL_MACHINE\Software\RealVNC
HKEY_LOCAL_MACHINE\Software\Policies\RealVNC
HKEY_CURRENT_USER\Software\RealVNC
HKEY_CURRENT_USER\Software\Policies\RealVNC
C:\Users\~\.vnc\
Note: VNC Mirror Driver has been uninstalled if it is no longer listed as a display adaptor in Windows Device
Manager. Note any remaining files are managed by Windows as part of the Driver Store and should not be
manually removed.
UNIX
Directory or file
Notes
/etc/vnc/
/root/.vnc/
~/.vnc/
/etc/pam.d/vncserver*
/etc/init.d/vncserver*
/user/lib/systemd/system/vncserver*
/var/log/vncserver*
/tmp/.vnc*
Note: VNC Server in Virtual Mode creates a /tmp/.X11-unix directory and /tmp/.X<num> files that
may persist after the application stops. Run the command vncserver-virtual -clean before
uninstalling VNC to delete stale files.
Mac OS X
Directory or file
Notes
/etc/vnc/
/var/root/.vnc/
~/.vnc/
/etc/pam.d/vncserver*
/Library/Logs/vnc*.log
~/Library/Logs/vnc
/tmp/.vnc*
151
152
C
VNC Parameters
This appendix categorizes and explains the VNC parameters you can use to control the behavior of VNC
Server and VNC Viewer.
For information on how to specify parameters, why you might want to do so, and the order in which the same
parameters specified in multiple locations are applied, see Specifying VNC parameters on page130.
Contents
Categorizing VNC parameters
154
155
175
153
VNC Server
Connectivity
InTransports, ProtocolVersion,
AllowHTTP, AllowRFB,
ProxyServer
EnableGuestLogin, GuestAccess,
Hosts, HttpPort, InTransports,
KerberosPrincipalName, localhost,
NtLogonAsInteractive,
PamAccountCheck, PamApplicationName,
Permissions, ProtocolVersion,
RfbPort, ServiceDiscoveryEnabled,
UsePam
Security
AuthTimeout, BlacklistThreshold,
BlacklistTimeout, ConnNotifyTimeout,
DisconnectAction, Hosts,
IdleTimeout, localhost,
NtLogonAsInteractive, Permissions,
QueryConnect, ReverseSecurityTypes,
RootSecurity, RsaPrivateKeyFile,
SecurityTypes, UserPasswdVerifier,
UsePam
Privacy
Shared
AlwaysShared, BlankScreen,
ConnNotifyTimeout,
DisableLocalInputs,
DisconnectAction, DisconnectClients,
NeverShared, QueryConnect
Performance
DisableAero, DisableEffects,
PollInterval, RemovePattern,
RemoveWallpaper, UpdateMethod,
UseCaptureBlt
AutoSelect, ColorLevel,
PointerEventInterval,
PreferredEncoding, ScalingQuality
Picture quality/
fidelity
DisableAero, DisableEffects,
PollInterval, ProvideVisuals,
UpdateMethod, UseCaptureBlt
AutoSelect, AutoSelectLossy,
ColorLevel, FullColor,
PointerEventInterval, ScalingQuality
Display/monitor
FullScreen,
FullScreenChangeResolution, Monitor,
Scaling, UseAllMonitors
User interaction
AcceptCutText, AcceptKeyEvents,
AcceptPointerEvents, ClipboardFT,
DisableLocalInputs, EnableChat,
SendCutText, ShareFiles
ClientCutText, EnableChat,
SendKeyEvents, SendMediaKeys,
SendPointerEvents, SendPrimary,
SendSpecialKeys, ServerCutText,
ShareFiles, UseDisplayCapture
User interface
DisableAddNewClient, DisableClose,
DisableOptions, DisableTrayIcon,
EnableManualUpdateChecks, Locale,
StartUI
154
VNC Viewer
Encryption, Identities,
RsaPrivateKeyFile,
SecurityNotificationTimeout,
VerifyID, WarnUnencrypted
Default value
Explanatory text: Note all parameters are case-insensitive, for all platforms.
See also: Related parameters...
Note that:
VNC Server parameters override equivalent VNC Viewer parameters unless otherwise stated.
Changes made to parameters in the Expert tab take effect when the Apply button is clicked, unless
otherwise stated.
AcceptCutText
TRUE
Specify FALSE to prevent connected users pasting text to the host computer.
See also: SendCutText, ClipboardFT
AcceptKeyEvents
TRUE
Specify FALSE to prevent connected users controlling the host computer using their keyboards.
Use in conjunction with AcceptPointerEvents to make connections view only, and with AcceptCutText,
SendCutText, ShareFiles, and EnableChat to prevent all user interaction with the host computer.
See also: AcceptPointerEvents
AcceptPointerEvents
TRUE
Specify FALSE to prevent connected users controlling the host computer using their mice or other pointing devices.
Use in conjunction with AcceptKeyEvents to make connections view only, and with AcceptCutText,
SendCutText, ShareFiles, and EnableChat to prevent all user interaction with the host computer.
See also: AcceptKeyEvents
AllowChangeDefaultPrinter
TRUE
Specify FALSE to prevent the host computers default printer being changed to that of the first client computer that
connects.
Note: This parameter is ignored unless EnableRemotePrinting is TRUE.
AllowHTTP
TRUE
Specify FALSE to prevent VNC Viewer for Java being downloaded from VNC Server.
Note: This parameter is ignored unless AllowRFB is TRUE.
See also: AllowRFB, HttpPort, httpd
155
AllowRFB
TRUE
Specify FALSE to prevent connections to VNC Server. Existing connections are not terminated.
Note that FALSE also prevents VNC Viewer for Java being downloaded, even if AllowHTTP is TRUE.
See also: RfbPort, AllowRFB
AlwaysShared
FALSE
Specify TRUE or FALSE in conjunction with NeverShared, DisconnectClients, and the VNC Viewer Shared
parameter to determine whether one or multiple users can connect to and control the host computer at the same time.
AlwaysShared
NeverShared
DisconnectClients
Shared
Concurrent connections?
TRUE
FALSE
ignored
ignored
Yes.
FALSE
TRUE
TRUE
ignored
FALSE
TRUE
FALSE
ignored
FALSE
FALSE
ignored
TRUE
Yes.
FALSE
FALSE
TRUE
FALSE
FALSE
FALSE
FALSE
FALSE
AuthTimeout
120
Specify a number of seconds to give connecting users time to enter authentication credentials. After this, connections
are rejected, even if the correct credentials are supplied.
Specify 0 to give connecting users unlimited time.
Note: This parameter is ignored if UserPasswdVerifier is None.
See also: BlacklistThreshold, IdleTimeout
AutoLogonOverride
Windows
FALSE
156
BlacklistThreshold
Specify a number of unsuccessful authentication attempts that can be made from each client computer (identified by its
IP address) before all connections from that computer are rejected for BlacklistTimeout. This may help protect
against brute-force dictionary attacks on the password used to authenticate to VNC Server.
Note: This parameter is ignored if UserPasswdVerifier is None. Under UNIX, if UserPasswdVerifier is
UnixAuth, the underlying authentication system may also have a protection mechanism after 10 unsuccessful
attempts.
Specify 0 to allow unlimited unsuccessful authentication attempts from each client computer, for example if the host
computer is not connected to the Internet.
See also: BlacklistTimeout
BlacklistTimeout
10
Specify a number of seconds during which connections from the client computer identified by BlacklistThreshold
are forbidden. After this time, one further unsuccessful authentication attempt is permitted before BlacklistTimeout
is doubled and applied again.
Note: To reset BlacklistThreshold and BlacklistTimeout to their original values, restart VNC Server.
See also: BlacklistThreshold
BlankScreen
Windows
FALSE
Specify TRUE to blank the monitor of the host computer when users are connected, in order to protect their privacy.
Note: This parameter has no effect under Windows 8.
See also: ShareFiles
ClipboardFT
Windows
TRUE
Specify FALSE to prevent connected users on Windows client computers exchanging files with the host computer using
the standard operating system copy and paste mechanism.
Note: VNC Server must be restarted in order for a change to this parameter to take effect. In addition, this parameter is
ignored unless AcceptCutText and SendCutText are both TRUE.
See also: ShareFiles
ConnNotifyTimeout
Specify a number of seconds between 1 and 255 to display connection and disconnection notification messages for.
Specify 0 to disable notification messages.
See also: QueryConnect
Desktop
<mode-specific>
Specify a name for the host computer desktop to display on the title bar of connected VNC Viewer application windows.
Note: VNC Server must be restarted in order for a change to this parameter to take effect.
DebugClipboardHelper
Windows
157
DisableAddNewClient
FALSE
Specify TRUE to disable the Connect to Listening VNC Viewer option on the VNC Server shortcut menu, preventing
either a host computer or connected users establishing reverse connections via the user interface.
Note: Reverse connections can still be established from the command line.
See also: DisableTrayIcon, DisableClose, DisableOptions, ReverseSecurityTypes
DisableAero
Windows
FALSE
Specify TRUE to disable Windows Aero (the default graphical user interface and theme in most editions of Windows
Vista and 7) while connections are in progress. This may improve performance.
See also: DisableEffects, RemovePattern, RemoveWallpaper
DisableClose
FALSE
Specify TRUE to disable the Stop VNC Server option on the VNC Server shortcut menu, preventing either a host
computer or connected users stopping VNC Server via the user interface.
Note: VNC Server can still be stopped from the command line, or by (for example) using Control Panel >
Administrative Tools > Services under Windows.
See also: DisableTrayIcon, DisableClose, DisableOptions
DisableEffects
Windows
FALSE
Specify TRUE to disable particular graphical user interface effects such as font smoothing while connections are in
progress. This may improve performance.
See also: DisableAero, RemovePattern, RemoveWallpaper
DisableLocalInputs
Windows
FALSE
Specify TRUE to disable the keyboard and mouse of the host computer while connections are in progress, preventing a
host computer user interrupting connected users.
See also: AcceptKeyEvents
DisableOptions
FALSE
Specify TRUE to disable the Options option on the VNC Server shortcut menu, preventing either a host computer or
connected users configuring VNC Server via the user interface.
Note: VNC Server can still be configured from the command line.
See also: DisableAddNewClient, DisableClose, DisableTrayIcon
DisableTrayIcon
Specify one of the following values to control the appearance of the VNC Server icon in the notification tray (Windows
and UNIX) or on the Status Bar (Mac OS X):
1 to hide the VNC Server icon while no connections are in progress, preventing a host computer user performing
certain operations via the user interface. The icon is shown when a connection is first established.
2 to hide the VNC Server icon permanently. This is effective only for OEM license keys.
158
DisconnectAction
Windows
None
VNC Server in Service Mode only. (Do not change this parameter for VNC Server in User Mode, or users will not be
able to reconnect.)
Specify one of the following values to determine the behavior of the host computer when the last user disconnects (or is
disconnected):
None to leave the host computer as is (that is, potentially with a user account logged on).
Lock to lock the host computer. A connection can immediately be re-established, but at least one connected user
must unlock the host computer in order to continue.
Logoff to log the current user account out. A connection can immediately be re-established, but at least one
connected user must log on to a user account in order to continue.
DisconnectClients
See AlwaysShared.
display
UNIX
NULL
DisplayDevice
Windows
Specify the name of a particular monitor or similar device attached to the host computer to remote to connected users,
for example \\.\Display1. Available names are shown on the Diagnostics page of the Information Center dialog.
Note: All existing connections must be terminated in order for a change to this parameter to take effect.
By default, or if the value is not recognized, all monitors are remoted.
See also: Monitor, display
EnableAutoUpdateChecks
Specify:
0 to prevent VNC Server automatically checking for critical software patches and product updates to which you are
entitled every UpdateCheckFrequencyDays.
By default, VNC Server prompts a host computer user to choose one of the above options the first time it runs.
See also: UpdateCheckFrequencyDays, EnableManualUpdateChecks
EnableChat
TRUE
159
EnableGuestLogin
FALSE
Specify TRUE to turn on the Guest Login option on the VNC Server icon shortcut menu, allowing particular connecting
users to bypass the VNC Server authentication scheme.
Note: This parameter is ignored if GuestAccess is set to 0.
See also: GuestAccess
EnableManualUpdateChecks
TRUE
Specify TRUE to disable the Check for updates option on the VNC Server shortcut menu, preventing either a host
computer or connected users checking for critical software patches or product updates.
See also: EnableAutoUpdateChecks
EnableRemotePrinting
TRUE
Specify FALSE to prevent connected users printing host computer files to their local printers.
See also: AllowChangeDefaultPrinter
GuestAccess
Determine whether users can connect as guests, bypassing the VNC Server authentication scheme. In addition, grant
VNC permissions to connected guests.
Note: For a value other than 0, EnableGuestLogin must also be set to TRUE.
Specify a value consisting of one or particular combinations of the following characters:
s to allow connected guests to view the desktop. Note that omitting this value means guests see a blank screen.
k to allow connected guests to exercise control using their keyboards (subject to AcceptKeyEvents).
p to allow connected guests to exercise control using their mice (subject to AcceptPointerEvents).
c to allow connected guests to copy and paste text between the computers (subject to SendCutText and
AcceptCutText).
t to allow connected guests to transfer files between the computers (subject to ShareFiles).
For example:
skpc
grants connected guests viewing (s), controlling (k and p), and copy and paste (c) permissions. The other permissions
are omitted, which means the corresponding features are not available.
See also: EnableGuestLogin
160
Hosts
Filter incoming connections by IPv4 address. Client computers can either be permitted to connect, be rejected, or be
flagged up for verification by a host computer (or an already-connected) user.
Note: The default + value permits connections from all client computers. Note that changing this default means users
will no longer be able to specify IPv6 addresses in order to connect (even if InTransports includes IPv6).
Specify an ordered, comma-separated list of actions and network addresses, each of the form:
<action><ip address-or-range>
where <action> is either:
+ to permit connections
- to reject connections
? to flag connections
and <ip address-or-range> is either a particular IPv4 address, or a range suffixed by a forward slash (/) and either a
subnet mask (for example 192.168.0.187/255.255.0.0) or the number of bits in the routing prefix (for example
192.168.0.187/24).
Consider the following example:
+192.168.0.1,?192.168.4.0/255.255.255.0,
The first entry permits connections from a client computer with the IP address 192.168.0.1.
The second entry flags connections from any client computer situated in the 192.168.4 subnet.
The third entry rejects connections from all other client computers.
To exclude particular addresses (or small ranges) from within an included range, add the address and suitable subnet
mask before the include entry and prefix with .
See also: InTransports, localhost
httpd
<platform-specific>
Specify a full path to a directory containing VNC Viewer for Java files. This may be useful if you wish to customize VNC
Viewer for Java, for example by changing the background web page or logo.
Note: This parameter is ignored unless AllowHTTP and AllowRFB are both TRUE.
To obtain VNC Viewer for Java files:
Under UNIX, download VNC Viewer for Java from VNC Server and use web browser tools to save the downloaded
artifacts.
HttpPort
5800
Specify a number between 1 and 65535 representing an available TCP port from which VNC Viewer for Java can be
downloaded from VNC Server. This can be the same as rfbPort, to simplify firewall and router configuration. Note that
ports 1 to 1024 are restricted by some operating systems.
Note: This parameter is ignored unless AllowHTTP and AllowRFB are TRUE.
See also: AllowHTTP
161
IdleTimeout
3600
Specify a number of seconds to wait before disconnecting users who have not interacted with the host computer during
that time.
Specify 0 to never disconnect idle users.
See also: DisconnectAction
InTransports
IPv6,IPv4
Specify either IPv4 or IPv6 to restrict VNC Server to connection requests framed using that version of the Internet
Protocol only.
Note that IPv6 connection requests are always rejected if the Hosts parameter is set to a value other than + (the
default).
See also: Hosts
KerberosPrincipalName
Mac OS X, UNIX
host/<computer name>
Specify the host service principle name as it is registered for the host computer with the domain controller, for example
host/<computer name>.dev.acmecorp.com.
Note: This parameter is ignored unless SecurityTypes includes at least one of SSO, SSOne.
This may be useful if connecting users are experiencing problems authenticating automatically to VNC Server. For more
information, see Setting up single sign-on authentication on page143.
LeftCmdKey
Mac OS X
Alt_L
Specify one of the following values to map a particular keysym received from client computers to the left Command key:
Alt_L, Alt_R, Super_L, Super_R, ExtendedChars
The default value of Alt_L means that, for connections from:
Windows or UNIX computers with PC keyboards, connected users can press the left Alt key to simulate a press of
the left Command key.
Mac computers, it is recommended you do not change this parameter unless you are also able to make the same
change to the VNC Viewer LeftCmdKey parameter, which by default maps the left Command key to the Alt_L
keysym.
Note that ExtendedChars refers to the key typically used to create extended characters, for example Alt Gr on non-US
PC keyboards.
Note: This parameter is ignored unless the AcceptKeyEvents parameter is set to TRUE.
See also: LeftOptKey, RightCmdKey, RightOptKey, AcceptKeyEvents
LeftOptKey
See LeftCmdKey, but for the left Option key.
162
Mac OS X
ExtendedChars
Locale
Specify one of the following values to choose a display language for VNC Server:
en_US (English)
fr_FR (French)
de_DE (German)
es_ES (Spanish)
By default, this parameter is empty, and the VNC Server user interface inherits the desktop language of the currently
logged-on computer user, or falls back to English if this language has not yet been translated.
There are two aspects to the display language; specifying this parameter in different locations enables these aspects to
be controlled separately (if required):
The language in which the VNC Server user interface is displayed. Note VNC Server must be restarted in order for
any change to take effect.
The language in which connectivity and other messages are transmitted to VNC Viewer users.
Under Mac OS X, in the vncserverui-service (Service Mode) or vncserverui-user (User Mode) VNC
configuration file. You can create these files if they do not exist in any appropriate location in this table on page133.
To change the language of transmitted messages, you can either edit the Locale parameter in the Expert tab of the
VNC Server Options dialog box, or alternatively specify it:
Note: Under UNIX and Mac OS X, you can configure both language aspects together (and for all applications) by
specifying the Locale parameter in a global location such as /etc/vnc/config.d/common.custom.
localhost
FALSE
Specify TRUE to permit only connections from VNC Viewer running on the same computer as VNC Server.
See also: Hosts
163
Log
<platform-specific>
<log> determines the type of activity to record, for example connection, printing or file transfer activity, or * to record
all. To see a list of available logs, examine the Log names section in the advanced help output (run the command
<application> -help all; see VNC Server at the command line on page190 for platform-specific information).
<level> determines severity: 0 includes only serious errors, 10 includes basic audit information, 30 includes general
information, and 100 includes all possible information, potentially including keystrokes.
The first entry (*:file:10) specifies that all activity is recorded to file at level 10.
The second entry (Connections:file:100) overrides this for connection activity, recording it (to the same file) at
level 100.
LogDir
<platform-specific>
Specify a directory in which VNC Server should create a log file. This location must be writable.
Note: This parameter is ignored unless at least one Log entry has an output destination of file.
For example, under Windows:
X:\my\file\server\realvnc\logs\${COMPUTERNAME}\vncserver
specifies a file share mapped to drive X, and distinguishes the name of the originating computer.
See also: Log
LogFile
<platform-specific>
Specify a name for the file VNC Server should create in LogDir, for example realvnc-debug.log.
Note: This parameter is ignored unless at least one Log entry has an output destination of file.
See also: Log
164
Monitor
Mac OS X
-1
Specify the number of a particular monitor or similar device attached to the host computer to remote to connected users,
for example 0 for the primary monitor, 1 for a secondary monitor, and so on.
Note: All existing connections must be terminated in order for a change to this parameter to take effect.
By default, or if the value is not recognized, all monitors are displayed.
See also: DisplayDevice, display
NeverShared
FALSE
See AlwaysShared.
NtLogonAsInteractive
Windows
FALSE
Specify TRUE to establish connections as Interactive logon type 2 rather than Network logon type 3.
Note: This parameter is ignored unless system authentication is specified (that is, UserPasswdVerifier is set to
NtLogon).
This may be useful if user accounts valid for logging on to the host computer (and whose credentials are supplied in
order to connect to VNC Server) are not accorded the higher privileges of the Network logon type, and would
consequently be rejected. Alternatively, if network access to a domain controller cannot be guaranteed, connections
may be more reliable since the Interactive logon type caches credentials.
See also: UserPasswdVerifier, Permissions
PamAccountCheck
UNIX, Mac OS X
TRUE
Specify FALSE to check just PAM authentication rules. By default, PAM account rules are checked as well.
Note: This parameter is ignored unless system authentication is specified (that is, UserPasswdVerifier is set to
UnixAuth).
This may be useful if connecting users are experiencing problems authenticating to VNC Server, since account rule
checks must be run as root.
See also: PamApplicationName, UserPasswdVerifier
PamApplicationName
UNIX, Mac OS X
vncserver
Specify vncserver.custom to use the custom PAM library and authentication and account rules specified:
Under Solaris, HP-UX, and older versions of Linux, by lines starting vncserver.custom in the /etc/pam.conf
file.
Note: This parameter is ignored unless system authentication is specified (that is, UserPasswdVerifier is set to
UnixAuth).
Under UNIX, this may be useful to enable connecting users to authenticate to VNC Server using the credentials of
domain accounts. See Managing system authentication on page141 for more information.
See also: PamAccountCheck, UserPasswdVerifier
165
Permissions
<platform-specific>
Register user accounts or groups with VNC Server so connecting users can authenticate using familiar, securelymanaged system credentials. In addition, grant VNC permissions to use remote control features while connections are
in progress. For more information on domain accounts under UNIX, see Managing system authentication on page141.
Note: This parameter is ignored unless system authentication (see the UserPasswdVerifier parameter) or single
sign-on (see Setting up single sign-on authentication on page143) is specified.
Note: A utility is available to create a permissions string in the correct format for VNC Server; visit www.realvnc.com/
products/vnc/deployment/acl-creator/ for more information.
Specify a comma-separated list of users/groups and permissions, each of the form:
<name>:<feature>
where <name> is the user name of a valid user account, preceeded by % to distinguish a group, and <access> is a
string consisting of particular combinations of at least one of the following characters:
s to allow connected users to view the desktop. Note that omitting this value means users see only a blank screen.
k to allow connected users to exercise control using their keyboards (subject to AcceptKeyEvents).
p to allow connected users to exercise control using their mice (subject to AcceptPointerEvents).
c to allow connected users to copy and paste between computers (subject to SendCutText/AcceptCutText).
t to allow connected users to transfer files between the computers (subject to ShareFiles).
Note: Under UNIX and Mac OS X, you can omit <name> to infer the VNC Server process owner (User Mode and
Virtual Mode) or the root user account (Service Mode). Under Windows, you can use the built-in CREATOR OWNER user
to infer the VNC Server process owner (User Mode) or the currently-logged on user account (Service Mode).
Note that specifying a character corresponds to turning the Allow checkbox on for that feature on the Users &
Permissions page of the VNC Server Options dialog box. Other behaviors can be modelled as follows:
Omit a character to disallow that feature, corresponding to turning the Allow checkbox off. Note that for a group, this
can be overridden by individual members. Alternatively, specify -<feature> to disallow that feature from a set, so for
example johndoe:d-t grants a normal set of permissions, with the exception of file transfer.
! to explicitly deny a feature, corresponding to turning the Deny checkbox on. This cannot be overridden.
Note that if you use - (to disallow) and ! (to deny) then the order of characters must be allow > disallow > deny.
Consider the following example:
superuser:f,%vncusers:d,johndoe:v,janedoe:skp-t!r
The johndoe user account grants view-only permissions (assuming johndoe is not a member of vncusers).
The janedoe user account grants viewing (s) and controlling permissions (k and p), disallows file transfer, and
explicitly denies printing. No position is taken on copy and paste (c) or chat (h). If janedoe is a member of
vncusers, then any grant of these permissions is inherited, and those two features are allowed. If janedoe is not
a member of vncusers, then these features are disallowed.
166
PollInterval
UNIX
50
ProtocolVersion
NULL
Specify one of the following values to compel VNC Server to advertize only that version or lower of the underlying RFB
protocol:
3.3, 3.7, 3.8, 4.0, 4.1
The lower the version, the wider the range of VNC-compatible Viewer technology from third parties able to connect, but
the fewer the premium features (such as encryption, file transfer, printing, and chat) available to connected users.
By default, the latest version of the RFB protocol is advertized.
QueryConnect
FALSE
Specify TRUE to display connection prompts when particular users connect. If present, a host computer (or an alreadyconnected) user can choose to accept connections, make connections view only, or reject them. If no user is present,
connections are automatically granted QueryTimeoutRights after QueryConnectTimeout.
Note: Some users may have sufficient VNC permissions to bypass connection prompts.
See also: QueryConnectTimeout, QueryOnlyIfLoggedOn, QueryTimeoutRights
QueryConnectTimeout
10
Specify a number of seconds to display connection prompts for. If no response is received from a host computer (or an
already-connected) user during this time, connections are automatically granted QueryTimeoutRights.
See also: QueryConnect, QueryTimeoutRights
QueryOnlyIfLoggedOn
FALSE
Not available for VNC Server in User Mode. It is also not recommended for VNC Server in Service Mode under Mac OS
X in this release.
Specify TRUE to display connection prompts only if a user account is currently logged on, and therefore a host computer
user is likely to be present. (For VNC Server in Virtual Mode under UNIX, the equivalent is if at least one user is already
connected, since no host computer user can be present at a virtual desktop.)
Note: This parameter is ignored unless QueryConnect is TRUE.
If no user account is logged on (or if no user is connected in Virtual Mode), connection prompts are not displayed and
all connections are automatically granted QueryTimeoutRights.
See also: QueryConnect, QueryTimeoutRights
167
QueryTimeoutRights
NULL
Determine whether connections exceeding QueryConnectTimeout are accepted or rejected, and grant VNC
permissions to connected users.
Note: This parameter is ignored unless QueryConnect is TRUE.
Specify a value consisting of one or particular combinations of the following characters:
s to allow connected users to view the desktop. Note that omitting this value means users see a blank screen.
k to allow connected users to exercise control using their keyboards (subject to AcceptKeyEvents).
p to allow connected users to exercise control using their mice (subject to AcceptPointerEvents).
c to allow connected users to copy and paste text between computers (subject to SendCutText and
AcceptCutText).
For example:
skpc
grants connected guests viewing (s), controlling (k and p), and copy and paste (c) permissions. The other permissions
are omitted, which means the corresponding features are not available.
See also: QueryConnect, QueryOnlyIfLoggedOn
QuitOnCloseStatusDialog
FALSE
Specify TRUE to stop VNC Server if a host computer (or a connected) user closes the VNC Server dialog.
By default, closing merely hides the dialog; it can be shown again from the VNC Server icon under most operating
systems.
RandR
UNIX
NULL
168
RemapKeys
UNIX
NULL
Map or swap keyboard keys. This may be useful if client computer keyboards are likely to be different to the host
computer keyboard.
Specify a comma-separated list of X Window hexadecimal keysyms, either of the form:
<keysym>-><keysym> to map from the first keysym to the second, for example
0x6d->0x6e to cause m to be interpreted as n.
RemovePattern
Windows
FALSE
Specify TRUE to replace a repeating pattern on the host computers desktop (under old versions of Windows) with a
plain background while a connection is in progress. This may improve performance.
See also: RemoveWallpaper, DisableAero, DisableEffects
RemoveWallpaper
Windows
FALSE
Specify TRUE to replace a picture or photo on the host computers desktop with a plain background while a connection
is in progress. This may improve performance.
See also: RemovePattern, DisableAero, DisableEffects
ReverseSecurityTypes
RA2
Determine (in conjunction with VNC Viewer) whether reverse connections are encrypted or not.
For more information, and a list of valid security types, see SecurityTypes.
See also: SecurityTypes, DisableAddNewClient
RfbPort
5900
Specify a number between 1 and 65535 representing an available TCP port on which VNC Server can listen for
connection requests. This can be the same port as httpPort, to simplify firewall and router configuration. Note that
ports 1 to 1024 are restricted by some operating systems.
Note: This parameter is ignored if AllowRFB is FALSE.
Note that the default port, 5900, is registered for use by VNC Server with the Internet Assigned Numbers Authority
(IANA), and does not need to be explicitly identified by connecting users.
See also: AllowRFB, httpPort
RightCmdKey
Mac OS X
Super_L
Mac OS X
ExtendedChars
RightOptKey
See LeftCmdKey, but for the right Option key.
169
RootSecurity
UNIX, Mac OS X
FALSE
RsaPrivateKeyFile
UNIX, Mac OS X
$HOME/.vnc/private.key
Specify the full path to a file storing a private key for VNC Server.
Note: VNC Server in Service Mode runs as the root user.
If the private key is missing or corrupt, users cannot connect. To generate a new private key, stop and restart VNC
Server.
See also: SecurityTypes
SecurityTypes
<platform-specific>
If VNC Server has an Enterprise or a Personal license, determine, in conjunction with VNC Viewer, whether:
The exchange of authentication credentials is encrypted, but subsequent connections are not. This means data
transmitted while connections are in progress may be susceptible to interception by a third parties.
Note: If VNC Server has a Free license, connections cannot be encrypted. Authentication credentials, however, are
protected by a challenge-response mechanism.
From the table below, specify the ordered, comma-separated combination of security types appropriate to the level of
encryption you wish to offer, for the authentication scheme you have chosen (see the UserPasswdVerifier
parameter). For each connection request, VNC Server offers security types in left-to-right order; VNC Viewer selects the
first that accords with the preferences set by the connecting user (see the VNC Viewer Encryption parameter).
Note: Certain security types prevent connections from earlier versions of VNC Viewer (and VNC-compatible Viewer
technology from third parties).
Authentication
scheme
Encryption
preference
Security types
System authentication
Always maximum
RA2:256+
RA2:256+
Always on
RA2
RA2
Prefer on
RA2,RA2ne
RA2,RA2ne,None
Prefer off
RA2ne,RA2
RA2ne,None,RA2
Always maximum
SSO:256+,RA2:256+
RA2:256+
Always on
SSO,SSPI,RA2
RA2
Prefer on
SSO,SSPI,RA2,SSOne,SSPIne,RA2ne RA2,RA2ne,None
Prefer off
SSOne,SSPIne,RA2ne,SSO,SSPI,RA2 RA2ne,None,RA2
Single sign-on
170
Authentication
scheme
Encryption
preference
Security types
VNC password
Always maximum
RA2:256+
RA2:256+
Always on
RA2
RA2
Prefer on
RA2,RA2ne,VncAuth
RA2,RA2ne,None
Prefer off
RA2ne,VncAuth,RA2
RA2ne,None,RA2
Always maximum
RA2:256+
RA2:256+
Always on
RA2
RA2
Prefer on
RA2,RA2ne,None
RA2,RA2ne,None
Prefer off
RA2ne,None,RA2
RA2ne,None,RA2
None
It is possible to specify a custom set of security types, in different combinations to those listed in the table above. Note
the following classifications:
Any security type incorporating ne (no encryption) signifies that the exchange of authentication credentials will be
encrypted, but subsequent connections are not.
None signifies that authentication credentials will not be exchanged, and subsequent connections are not
encrypted.
SSPI and SSPIne have been superceded by SSO and SSOne respectively. There is no need to specify these
security types when using VNC Server and VNC Viewer 5.x.
All other security types signify that both the exchange of authentication credentials and subsequent connections will
be encrypted using at least 128-bit AES.
As an example, consider the default security types for VNC Server set to use system authentication and with an
encryption preference of prefer on:
RA2,RA2ne
If a VNC Viewers Encryption parameter is set to:
AlwaysMaximum, connections are encrypted end-to-end and upgraded to 256-bit AES, providing VNC Server has
an Enterprise license. (Note connections to VNC Server with a Personal license cannot be established.)
AlwaysOn or PreferOn, connections are encrypted end-to-end using at least 128-bit AES.
PreferOff, the exchange of authentication credentials is encrypted using at least 128-bit AES (that is, VNC
Viewer chooses the RA2ne security type), but subsequent connections are not encrypted.
SendCutText
TRUE
Specify FALSE to prevent connected users copying text on the host computer and pasting it to their client computers.
See also: AcceptCutText, ClipboardFT
ServiceDiscoveryEnabled
TRUE
Specify FALSE to prevent VNC Server automatically advertizing itself on Zeroconf-enabled local networks (for example,
Bonjour or Avahi).
171
ShareFiles
TRUE
Specify FALSE to prevent connected users exchanging files with the host computer.
See also: ClipboardFT
SimulateSAS
Windows
0 to respect Windows group policy for SAS, which means that it cannot be sent to host computers running most
versions of Windows Vista and 7.
1 to override group policy if it has not been explicitly set, which means SAS can be sent in most circumstances.
2 to override group policy even if it has been explicitly set, which means SAS can always be sent.
StartUI
UNIX
TRUE
StopUserModeOnSwitchOut
Mac OS X
TRUE
UpdateCheckFrequencyDays
Specify a number of days to wait before VNC Server automatically checks for critical software patches and product
updates to which you are entitled.
Note: This parameter is ignored unless EnableAutoUpdateChecks is TRUE.
172
UpdateMethod
Windows, UNIX
<platform-specific>
0 to poll the display system for changes to the entire desktop. This may be the slowest method, but can be useful to
track changes to applications that interface directly with the graphics card, for example some DirectX applications.
1 to use application hooks to monitor messages sent to ascertain whether application content has changed. Note
this method is not effective under Windows Vista onwards; 2 is automatically selected (if possible), else 0.
2 to use VNC Mirror Driver, if it is installed for VNC Server in Service Mode, under all platforms except NT4 and
Windows 8/Server 2012. Note that for VNC Server in User Mode, this method is not effective and 1 is automatically
selected (if possible), else 0.
This method causes graphical updates to be mirrored to a secondary driver and is typically quick and effective,
though it may not capture some DirectX or OpenGL applications, nor interface correctly with some graphics cards.
UNIX
0 to poll the display system for changes to the entire desktop. This may be the slowest option, but can be useful to
track changes to applications that interface directly with the graphics card, for example some DirectX applications.
1 to use the X Window Damage extension if it is enabled and working. If it is not working (which may be the case
under some platforms), 0 is automatically selected.
UseCaptureBlt
Windows
TRUE
Specify FALSE to stop VNC Server monitoring updates to some semi-transparent windows such as certain menus and
tooltips. This may improve performance or reduce cursor flicker but does mean connected users do not have perfect
picture fidelity.
See also: UpdateMethod
UsePam
UNIX
FALSE
173
UserPasswdVerifier
<platform-specific>
Specify at least one of the following values to determine the authentication scheme:
NtLogon (Windows) or UnixAuth (Mac OS X, UNIX) to specify system authentication, which means that users
can connect by supplying the credentials of user accounts (local or domain) registered with the Permissions
parameter. Note that an Enterprise or a Personal license is required. For more information on domain accounts
under UNIX, see Managing system authentication on page141.
VncAuth to specify VNC authentication, which means that users can connect by supplying password(s) set directly
in the Windows Registry or in VNC configuration files by the vncpasswd utility. Run the command vncpasswd help for more information.
None to disable authentication, which means that users can connect without having to supply a password.
Note: The SecurityTypes parameter must be set to a value or combination of values appropriate to the
authentication scheme.
Note that a comma-separated list of values can be specified in order to determine a fallback scheme. Consider the
following example:
NtLogon,VncAuth
This means that, if system authentication fails for any reason, VNC authentication is enforced.
To specify the single sign-on authentication scheme, set the SecurityTypes parameter to include a SS* security type
and, under UNIX and Mac OS X, create an /etc/vnc/ssolib symlink as described in the section Setting up single
sign-on authentication on page143. The value of UserPasswdVerifier is then used as the fallback authentication
scheme if single sign-on fails for any reason (see, for example, the VNC Viewer SingleSignOn parameter).
See also: SecurityTypes
WorkaroundXlibXkbBug
UNIX
174
TRUE
Default value
Explanatory text: note that all parameters are case-insensitive, for all platforms.
See also: Related parameters...
Note that:
VNC Viewer parameters may be overridden by VNC Server parameters; this is clearly stated.
Changes made in the Expert tab take effect when the OK button is clicked, unless otherwise stated.
AcceptBell
TRUE
AutoReconnect
TRUE
Specify FALSE to prevent VNC Viewer 5.0+ automatically reconnecting to VNC Server in certain circumstances, for
example if the current user account is logged or switched out.
AutoSelect
TRUE
Specify FALSE to request that VNC Server send screen updates using PreferredEncoding and ColorLevel.
By default, an encoding and pixel format is automatically chosen to suit the speed of the network connection.
See also: PreferredEncoding, ColorLevel, FullColor
AutoSelectLossy
TRUE
Specify FALSE to prevent lossy encodings (such as JPEG and JRLE) being requested when AutoSelect is TRUE.
This may be useful if perfect picture fidelity is required.
ChangeServerDefaultPrinter
TRUE
Specify FALSE to not change the default printer of a host computer. A connected user must explicitly select a VNC
printer at print-time.
By default, the host computers default printer is changed to that of the first client computer that connects.
Note: This parameter is ignored unless the EnableRemotePrinting parameter and the VNC Server
AllowChangeDefaultPrinter and EnableRemotePrinting parameters are all set to TRUE.
See also: EnableRemotePrinting
ClientCutText
TRUE
Specify FALSE to prevent a connected user pasting text to the host computer.
Note: This parameter is ignored unless the VNC Server AcceptCutText parameter is set to TRUE.
See also: ServerCutText
175
ColorLevel (ColourLevel)
pal8
Specify one of the following values to determine the picture quality of the host computer desktop:
Using more colors gives a better user experience, at a potential cost in performance.
Note: This parameter is ignored if either FullColor or AutoSelect is set to True.
See also: FullColor, AutoSelect
DisableOptionsModeSwitch
FALSE
Specify FALSE to lock down the Options dialog box, preventing a user switching between Basic and Advanced tabs.
DotWhenNoCursor
TRUE
Specify FALSE to not show a local cursor if an application running on the host computer is set to show an invisible
cursor.
By default, VNC Viewer displays a dot cursor in this circumstance.
Note: This parameter is ignored unless the SendPointerEvents parameter and the VNC Server
AcceptPointerEvents parameter are both set to TRUE.
See also: SendPointerEvents
Emulate2
Mac OS X
FALSE
Specify TRUE if the client computers mouse has one button but the mouse attached to the host computer has two.
A connected user can emulate the missing button by holding down the Ctrl key while clicking.
Note: This parameter is ignored unless the SendPointerEvents parameter and the VNC Server
AcceptPointerEvents parameter are both set to TRUE.
See also: Emulate3, SendPointerEvents
Emulate3
FALSE
Specify TRUE if the client computers mouse has two buttons but the mouse attached to the host computer has three.
A connected user can emulate the missing middle button by clicking the left and right buttons simultaneously.
Note: This parameter is ignored unless the SendPointerEvents parameter and the VNC Server
AcceptPointerEvents parameter are both set to TRUE.
See also: Emulate2, SendPointerEvents
EnableChat
Specify FALSE to prevent a connected user participating in a chat session.
Note that the user can still view chat messages exchanged by other users connected at the same time.
Note: This parameter is ignored unless the VNC Server EnableChat parameter is set to TRUE.
176
TRUE
EnableRemotePrinting
TRUE
Specify FALSE to prevent a connected user printing a host computer file to a local printer.
Note: This parameter is ignored unless the VNC Server EnableRemotePrinting parameter is set to TRUE.
See also: ChangeServerDefaultPrinter
EnableToolbar
TRUE
Specify FALSE to disable the toolbar, preventing a connected user performing key operations.
See also: MenuKey, ToolbarIconSize
Encryption
Server
For connections to VNC Server with an Enterprise or a Personal license, determine, in conjunction with VNC Server,
whether:
The exchange of authentication credentials is encrypted, but the subsequent connections themselves are not. This
means data transmitted while connections are in progress may be susceptible to interception by third parties.
Note: Connections to VNC Server with a Free license cannot be encrypted. Authentication credentials, however, are
protected by a challenge-response mechanism. Note this parameter must not be set to AlwaysMaximum or AlwaysOn;
see Connectivity and feature matrix on page13 for more information.
Specify one of the following values:
Server to let VNC Server choose. By default, connections will always be encrypted end-to-end unless VNC
Servers encryption preference is set to prefer off (see the VNC Server SecurityTypes parameter).
AlwaysMaximum to request that connections be encrypted end-to-end using 256-bit AES. This request is always
granted for connections to VNC Server with an Enterprise license. Do not specify this value for connections to VNC
Server with a Personal or a Free license.
AlwaysOn to request that connections be encrypted end-to-end using at least 128-bit AES. This request is always
granted for connections to VNC Server with an Enterprise or a Personal license. Do not specify this value for
connections to VNC Server with a Free license.
PreferOn to prefer that connections be encrypted end-to-end using at least 128-bit AES. This request is always
granted for connections to VNC Server with an Enterprise or a Personal license.
PreferOff to prefer that the exchange of authentication credentials be encrypted using at least 128-bit AES, but
that connections themselves need not be encrypted. This may improve performance. This request is always granted
providing VNC Servers encryption preference is set to prefer on or prefer off.
Note: The rules above apply providing the VNC Server SecurityTypes parameter is set to the default values for its
authentication scheme and encryption preference. If the SecurityTypes parameter has custom values, arbitrary
rules apply.
See also: SecurityNotificationTimeout, WarnUnencrypted, RsaPrivateKeyFile
177
FetchDir
<platform-specific>
Specify a full path to a directory to which files transfered from the host computer are downloaded, for example
"C:\Users\johndoe\My Documents".
By default, files are downloaded:
FullColor (FullColour)
FALSE
Specify TRUE to display the host computers desktop in full color. Note that using more colors gives a better user
experience, at a potential cost in performance.
Note also that:
FullScreen
FALSE
Specify TRUE to display the VNC Viewer application window in full screen mode.
Note that scrollbars are not displayed if the host computers desktop is larger than the application window; a connected
user must bump the mouse against an edge to scroll.
See also: FullScreenChangeResolution, UseAllMonitors
FullScreenChangeResolution
Windows, Mac OS X
FALSE
Specify TRUE to change the client computers screen resolution to that of the host computer when the VNC Viewer
application window is in full screen mode.
See also: FullScreen, UseAllMonitors
GrabKeyboard
UNIX
Specify one of the following values to determine whether VNC Viewer monopolizes the client computers keyboard,
preventing other applications receiving keyboard input.
1 to grab the keyboard when the VNC Viewer application window is in full screen mode.
HideCloseAlert
FALSE
Specify TRUE to close VNC Viewer silently if a user is disconnected unexpectedly, perhaps because VNC Server has
stopped. Use in conjunction with AutoReconnect set to FALSE in order to exit VNC Viewer cleanly if run from a script.
By default, a newly-disconnected user is informed of the reason in a message box that must be acknowledged before
VNC Viewer can close.
178
Identities
Mac OS X, UNIX
$HOME/.vnc/identities
Specify a path to a file storing signatures uniquely identifying instances of VNC Server already connected to.
Depending on the value of VerifyID, a connecting user is warned if a VNC Server signature is new or has changed,
which might help prevent connections to unintended or illegitimate destinations.
See also: VerifyID
InterpretDeadKeys
UNIX
FALSE
Specify TRUE to compose a character from a dead key and the key-to-be-modified before sending the combination to
VNC Server. This may be useful for connections to host computers that cannot natively compose particular symbols.
By default, the dead key and the key-to-be-modified are sent as separate key presses.
Note: This parameter is ignored unless the SendKeyEvents parameter and the VNC Server AcceptKeyEvents
parameter are both set to TRUE.
See also: SendKeyEvents
InTransports
IPv6,IPv4
Specify either IPv4 or IPv6 to restrict Listening VNC Viewer to connection requests from VNC Server framed using
that version of the Internet Protocol only.
LeftCmdKey
Mac OS X
Alt_L
Specify one of the following values to send a particular keysym to the host computer when the left Command key is
pressed:
Alt_L, Alt_R, Super_L, Super_R, ExtendedChars
By default, for a connection to a:
Windows or UNIX computer with a PC keyboard, the left Alt key is simulated, which means that pressing left
Command+F has the effect of opening the File menu on most Windows applications.
Mac computer, it is recommended you do not change this parameter unless you are also able to make the same
change to the VNC Server LeftCmdKey parameter, which by default maps the Alt_L keysym back to the left
Command key.
Note that ExtendedChars refers to the key typically used to create extended characters, for example Alt Gr on non-US
PC keyboards.
Note: This parameter is ignored unless the SendKeyEvents parameter and the VNC Server AcceptKeyEvents
parameter are both set to TRUE.
See also: LeftOptKey, RightCmdKey, RightOptKey, SendKeyEvents
LeftOptKey
Mac OS X
ExtendedChars
179
Locale
Specify one of the following values to choose a display language:
en_US (English)
fr_FR (French)
de_DE (German)
es_ES (Spanish)
By default, this parameter is empty, and the VNC Viewer user interface inherits the desktop language of the currently
logged-on computer user, or falls back to English if this language has not yet been translated. Note VNC Viewer must
be restarted for any change to this parameter to take effect.
Note: Some messages are transmitted by VNC Server and thus may appear in a different language. See the VNC
Server Locale parameter for more information.
Log
*:stderr:0
<log> determines the type of activity to record, for example connection, printing or file transfer activity, or * to record
all. To see a list of available logs, examine the Log names section in the advanced help output (run the command
<application> -help all; see VNC Viewer at the command line on page192 for platform-specific information).
<target> determines the output destination: either stderr (the default) or file (see the LogDir and LogFile
parameters).
<level> determines severity: 0 includes only serious errors, 10 includes basic audit information, 30 includes general
information, and 100 includes all possible information, potentially including keystrokes.
The first entry (*:file:10) specifies that all activity is recorded to file at level 10.
The second entry (CConnection:file:100) overrides this for connection activity, recording it (to the same file) at
level 100.
LogDir
<platform-specific>
Specify a directory in which VNC Viewer should create a log file. This location must be writable.
Note: This parameter is ignored unless at least one Log entry has an output destination of file.
For example, under Windows:
X:\my\file\server\realvnc\logs\${COMPUTERNAME}\vncviewer
specifies a file share mapped to drive X, and distinguishes the name of the originating computer.
See also: Log
180
LogFile
<platform-specific>
Specify a name for the file VNC Viewer should create in LogDir, for example "realvnc debug.log".
Note: This parameter is ignored unless at least one Log entry has an output destination of file.
See also: Log
MenuKey
F8
Specify a function key in the range F1 to F12 to raise the shortcut menu when the VNC Viewer application window has
focus.
Specify null (-menukey=) to disable the shortcut menu, preventing a connected user performing particular operations.
See also: EnableToolbar
Monitor
Windows
NULL
Specify a monitor attached to the client computer to display the VNC Viewer application window on, for example
\\.\DISPLAY2.
By default, or if the specified value is not recognized, VNC Viewer is displayed on the primary monitor (equivalent to
\\.\DISPLAY1).
See also: UseAllMonitors
MRUEntries
Windows
20
Specify the maximum number of host computer network addresses to remember, or 0 to remember no addresses.
This most recently used list is available to a connecting user from the VNC Server dropdown of the VNC Viewer
dialog.
PointerCornerSnapThreshold
30
Specify a number of pixels from each corner of the VNC Viewer application window, on each axis.
If a connected user moves the client computers mouse cursor out of the application window within this area, the host
computers mouse cursor is snapped to the corner. This may be useful for connections to computers that trigger special
effects in the corners, for example Windows 8 and Mac OS X 10.8 (Mountain Lion).
Note: This parameter is ignored unless the SendPointerEvents parameter and the VNC Server
AcceptPointerEvents parameter are both set to TRUE.
See also: SendPointerEvents
PointerEventInterval
Specify a number of milliseconds to wait before sending mouse events such as cursor movements, clicks, and scrolls to
the host computer.
Increasing this value may make connections operating over a low-bandwidth network more responsive.
Note: This parameter is ignored unless the SendPointerEvents parameter and the VNC Server
AcceptPointerEvents parameter are both set to TRUE.
See also: SendPointerEvents
181
PreferredEncoding
ZRLE
Specify one of the following values to request that VNC Server send screen updates in a particular encoding:
ProtocolVersion
NULL
Specify one of the following values to request that VNC Server use only that version or lower of the underlying RFB
protocol:
3.3, 3.8, 4.0, 4.1
A lower version might be useful for connections to legacy third party VNC-compatible Server applications that do not
offer support for subsequent versions of the RFB protocol.
By default, the latest version of the RFB protocol is requested.
ProxyPassword
Null
ProxyServer
Null
Specify the network address and port number of a proxy server if the client computer is protected by one, for example
"http://myproxyserver.com:8080". Alternatively:
Under Windows, specify _msiesettings_ to use the proxy server settings of Microsoft Internet Explorer.
Under UNIX, specify _env_ to use standard proxy server environment variables.
Under Mac OS X, specify _system_ to use standard proxy server environment variables.
ProxyType
httpconnect
Specify socks if ProxyServer is a SOCKS 5 proxy server. By default, an HTTP proxy server is assumed.
See also: ProxyServer
ProxyUserName
Specify a user name if ProxyServer requires authentication.
See also: ProxyServer, ProxyPassword
182
Null
RelativePtr
FALSE
Specify TRUE to send relative changes in mouse cursor position to the host computer, rather than absolute coordinates.
This may be useful to synchronize the mouse cursors of the client and host computers, if one is diverging from the other,
something that can occur if an application running on the host computer does not support absolute mouse events, or for
connections to KVM-over-IP switches. Note that a connected user will not be able to move the mouse cursor outside the
VNC Viewer application window.
Note: This parameter is ignored unless the SendPointerEvents parameter and the VNC Server
AcceptPointerEvents parameter are both set to TRUE.
See also: SendPointerEvents
RightCmdKey
Mac OS X
Super_L
Mac OS X
ExtendedChars
RightOptKey
See LeftCmdKey, but for the right Option key.
RsaPrivateKeyFile
Mac OS X, UNIX
<platform-specific>
Specify the full path to a file storing a private key for VNC Viewer.
If the private key is missing or corrupt, connections cannot be established. To generate a new private key, restart VNC
Viewer.
See also: Encryption
ScalePrintOutput
True
183
Scaling
None
Specify one of the following values to determine whether the host computers desktop is scaled relative to the size of the
VNC Viewer application window:
None to not scale the host computers desktop. If it is bigger than the application window, scroll bars appear. The
window cannot be resized larger than the desktop.
AspectFit to scale the desktop to the size of the window, but retain the aspect ratio.
<pixel width>x<pixel height> to scale the desktop to the specified window size. The window cannot be resized
larger.
<pixel width>x to scale the desktop to the specified window width; the height is determined by the aspect ratio. The
window cannot be resized larger.
x<pixel height> to scale the desktop to the specified window height; the width is determined by the aspect ratio.
The window cannot be resized larger.
<percentage size>% to scale the desktop to a percentage of the size the window would be were this parameter set
to None. The window cannot be resized larger.
<percentage width>%x<percentage height>% to scale each axis of the desktop to a percentage of the size the
window would be were this parameter set to None. The window cannot be resized larger.
ScalingQuality
Mac OS X
Specify one of the following values to determine the rendering quality when the host computers desktop is scaled:
ScrollWheelAccel
Mac OS X
TRUE
Specify FALSE to ignore the speed at which the mouse is set to scroll in System Preferences, causing turns of the
mouse wheel to scroll pages at a regimented speed.
Note: This parameter is ignored unless the SendPointerEvents parameter and the VNC Server
AcceptPointerEvents parameter are both set to TRUE.
See also: SendPointerEvents
SecurityNotificationTimeout
Specify the number of milliseconds to display encryption status to a newly-connected user for.
The status is displayed at the bottom of the VNC Viewer application window, in a green bar if the connection is
encrypted and in a red bar if it is unencrypted. The connected user can dismiss the status bar at any time.
Specify 0 to suppress the display of the encryption status.
184
2500
SelectDesktop
NULL
Specify the name of a computer to connect to automatically when a connection is established to a suitably-enabled
ADDERLink KVM-over-IP switch.
See also: RelativePtr
SendKeyEvents
TRUE
Specify FALSE to prevent a connected user controlling the host computer using the client computers keyboard.
Note: This parameter is ignored unless the VNC Server AcceptKeyEvents parameter is set to TRUE.
See also: SendPointerEvents
SendMediaKeys
Mac OS X
FALSE
Specify FALSE to cause media keys such as Play and Volume Up to be interpreted by the client computer. By default,
these keys are sent to, and interpreted by, the host computer, providing VNC Viewer is in full screen mode.
Note: This parameter is ignored unless the SendKeyEvents parameter and the VNC Server AcceptKeyEvents
parameter are both set to TRUE.
See also: SendKeyEvents
SendPointerEvents
TRUE
Specify FALSE to prevent a connected user controlling the host computer using the client computers mouse.
Note: This parameter is ignored unless the VNC Server AcceptPointerEvents parameter is set to TRUE.
See also: SendKeyEvents
SendPrimary
UNIX
TRUE
Specify FALSE to send the PRIMARY selection (that is, the currently highlighted content) to VNC Server in preference
to the CLIPBOARD selection.
See also: ClientCutText
SendSpecialKeys
Windows
TRUE
Specify FALSE to cause the following keys and key combinations to be interpreted by the client computer:
Windows (also known as Start or Super), PrtScn (Print Screen), Alt+Tab, Alt+Esc, Ctrl+Esc
By default, these keys and key combinations are sent to, and interpreted by, the host computer.
Note: This parameter is ignored unless the SendKeyEvents parameter and the VNC Server AcceptKeyEvents
parameter are both set to TRUE.
See also: SendKeyEvents
ServerClipboardGraceTime
1000
Specify a number of milliseconds to wait before discarding text copied from the host computer if VNC Viewer no longer
has focus.
See also: ServerCutText
185
ServerCutText
TRUE
Specify FALSE to prevent a connected user copying text on the host computer and pasting it to their client computer.
Note: This parameter is ignored unless the VNC Server SendCutText parameter is set to TRUE.
See also: ClientCutText
Shared
TRUE
Specify FALSE to request that other users be disconnected when a connection is established.
Note: A newly-connected user cannot prevent disconnected users reconnecting, and may be disconnected in turn.
VNC Server complies with this request providing the VNC Server DisconnectClients parameter is set to TRUE.
Note: This parameter is ignored unless both the VNC Server AlwaysShared and NeverShared parameters are set to
FALSE.
ShareFiles
TRUE
Specify FALSE to prevent a connected user transferring files to and from the host computer.
Note: This parameter is ignored unless the VNC Server ShareFiles parameter is set to TRUE.
See also: FetchDir
SingleSignOn
TRUE
Specify FALSE to prevent a user authenticating automatically to VNC Server using credentials already supplied to log
on to the client computer (even if VNC Server is set to use the single sign-on authentication scheme, and all the
necessary network infrastructure is in place; see Setting up single sign-on authentication on page143.)
ToolbarIconSize
24
Specify either 16, 24, or 32 to determine the size in pixels of the icons on the VNC Viewer toolbar.
See also: EnableToolbar
UseAddrBook
TRUE
Specify FALSE to prevent a connected user saving connections to VNC Address Book.
The user is prompted to save connections to an (less secure) .vnc desktop file instead.
UseDisplayCapture
Mac OS X
TRUE
Specify FALSE to prevent key combinations such as Cmd+Tab being sent to the host computer when the VNC Viewer
application window is in full screen mode.
See also: FullScreen
UseAllMonitors
Windows, Mac OS X
FALSE
Specify TRUE to display the host computers desktop across all available monitors when VNC Viewer is in full screen
mode (if more than one monitor is attached to the client computer).
See also: FullScreen, Monitor
186
UseLocalCursor
TRUE
Specify FALSE to display the cursors of both the client and host computer (the former is represented by a dot). This may
be useful if the connection suffers from high latency, though note VNC Server may be required to send more screen
updates.
Note: This parameter is ignored unless the SendPointerEvents parameter and the VNC Server
AcceptPointerEvents parameter are both set to TRUE.
See also: SendPointerEvents
UserName
VerifyID
Specify one of the following values to determine whether or not to warn a connecting user that VNC Servers signature
status has changed (note that in particular, a different signature may indicate a man-in-the-middle attack):
1 to ensure warnings appear for different signatures, and for computers that no longer have a signature.
By default, warnings appear for new and for different signatures, and for computers that no longer have a signature (for
example, if VNC Server has been downgraded from an Enterprise or a Personal to a Free license).
See also: Identities
WarnUnencrypted
TRUE
Specify FALSE to prevent a connecting user being warned that the connection will be unencrypted before it is
established.
187
188
D
VNC At The Command Line
This appendix explains how to interact with VNC applications and perform particular operations at the
command line.
Note: VNC applications should not be run with elevated privileges unless otherwise stated.
Contents
VNC Server at the command line
190
192
189
Windows
Commands for VNC Server in Service Mode must be run from an Administrator Command Prompt.
To...
Mode
User
vncserver.exe
Service
vncserver.exe -start
Connect to Listening
VNC Viewer
User
Service
User
Service
invalid operation
vncserver.exe -reload
Get help
User
vncserver.exe -help
Service
User
vncserver.exe -stop
Service
UNIX
Commands for VNC Server in Service Mode must be run with elevated privileges.
For VNC Server in Virtual Mode, the vncserver symlink can be substituted for vncserver-virtual.
To...
Mode
User
vncserver-x11
Service
/etc/init.d/vncserver-x11-serviced start
#initd
#systemd
Virtual
190
vncserver-virtual
To...
Mode
Connect to Listening
VNC Viewer
User
Service
Virtual
User
Service
invalid operation
Virtual
User
vncserver-x11 -reload
Service
Virtual
Get help
User
vncserver-x11 -help
Service
vncserver-x11-serviced -help
Virtual
vncserver-virtual -list
User
vncserver-x11 -stop
Service
/etc/init.d/vncserver-x11-serviced stop
#initd
#systemd
Virtual
Mac OS X
Commands for VNC Server in Service Mode must be run with elevated privileges.
To...
Mode
User
/Library/vnc/vncserver-root
Service
VNC\ Server.app/Contents/MacOS/vncserver_service
User
Service
User
Service
invalid operation
User
/Library/vnc/vncserver -reload
Service
Get help
User
/Library/vnc/vncserver -help
User
/Library/vnc/vncserver -stop
Service
Connect to Listening
VNC Viewer
Service
191
Installed VNC Viewer as part of VNC, from www.realvnc.com/download/vnc/. Note that, by default,
programs are installed:
Under Windows, in C:\Program Files\RealVNC\VNC Viewer
Under UNIX, in either /usr/bin or /usr/local/bin
Under Mac OS X, in /Applications/RealVNC
See Setting up the client computer on page12 for more information on these issues.
Windows
To...
Start VNC Viewer
Type
Standalone
<download file>.exe
Installed
vncviewer.exe
Standalone
Installed
Standalone
Installed
Standalone
Installed
vncviewer.exe -help
To...
Type
Standalone
./<download file>
Installed
vncviewer
Standalone
Installed
Standalone
Installed
Get help
Standalone
Installed
vncviewer -help
Get help
UNIX
192
Mac OS X
To...
Type
Standalone
Installed
VNC\ Viewer.app/Contents/MacOS/vncviewer
Standalone
Installed
Get help
Installed
Standalone
Installed
193
194