Remote Access

IMPORTANT INFO: By Tuesday 20. June access to rem-acc will require Microsoft MFA (multi factor authentication)


https://www.psi.ch/en/computing/change-to-mfa


If your account isn`t already enabled for Microsoft MFA, please
contact the IT Servicedesk during the business hours
using helpmfa@psi.ch

The purpose of this service is to offer to PSI and external users convenient access to compute resources, in particular to the beamline consoles and the Ra offline data analysis cluster. The access is provided in form of full graphical user session via the NoMachine software. Users need a PSI_account to use the resources and can access only those, to which they are explicitly entitled

The following prerequisites must be fulfilled

  • You need a PSI_account (an e-account or DUO account is not sufficient). If you do not have such an account, please request it via your PSI contact person.
  • You need to have the NX software installed on your PC/Laptop/Tablet. The NoMachine client software can be downloaded and installed for Windows, Mac, Linux, Android and iOS systems free of charge (PSI-Windows users: please use installation from software kiosk, do not install client from NoMachine). At the time of writing the NoMachine version 6 software is needed.

Short description

  • Run NX client and create new NoMachine connection
    • Enter host rem-acc.psi.ch
    • Enter your PSI_account name and password
    • Choose one of the offered physical desktops or create a new virtual desktop
    • For the proposed settings choose defaults except for:
      • physical desktops: un-click the tick mark: "Change the server resolution to match the client when I connect"
      • virtual desktops: choose "Resize remote screen" in the display options settings

Detailed description

Set up a NoMachine connection to rem-acc.psi.ch

Ensure you are using NoMachine client version 6 (or later) to connect. Start your NX/NoMachine client, select New and then NX protocol
nomachine1 1.png
Specify the host name rem-acc.psi.ch and leave the UDP flag ticked
nomachine2 1.png
Keep the default option "Password"
nomachine3 1.png
Keep the default settings for HTTP proxy: most of the time the no-proxy option is correct. Contact your local system administrator if it does not work for your host:
nomachine4 1.png
Here define a meaningful name for the connection. This profile will later be used for all connections to the PSI network
nomachine5 1.png
In all future NoMachine sessions the following will be your starting screen.
nomachine6 1.png

Choose your newly created profile and click the Connect button. At the first connection you will be asked to verify the fingerprint of the ssh certificate of rem-acc.psi.ch. If you get the same string "SHA256 B4 38...5E E1" click "yes" to confirm.

current(April2020)
Enter your PSI_account name and password.
nomachine7 1.png
Here you can select from a list of available physical desktops and from a list of existing sessions to the allowed hosts, including those from other users. Most of the time you will want to ignore the latter and either connect to a physical desktop (typical use case for the beamlines) or click the link "Create a new desktop" for a new virtual desktop session.
nomachine8 1.png
You may want to mute the sound (when connecting to the physical desktop)
nomachine mute.png
For physical desktops you usually want to un-check the option "Change the server resolution". For the virtual desktops the recommended option is "Resize remote screen" (this you change later with ctrl-alt-0 and in the display options)
nomachine9 1.png

NoMachine offers two types of remote connections, physical and virtual desktops.

Physical desktops
Here you connect to a actual machine having a graphic card and connected monitors. You "see" the same displays as the person who sits in front of the physical computer. The session reacts to both mouse and keyboard connected locally and remotely. This behaviour can be configured, e.g. if a "view only" option is required.

Virtual Desktops (Linux only)
The virtual desktop functionality allows individual multiple Linux desktops to run independently on the same host. Each user has her/his own personal 'virtual' Linux desktop.

 


In the NoMachine client, you can choose which desktops to see. Initially you may see a lot of connections, both active and suspended, from all users who have access to the same hosts than you have. To avoid this clutter you can click on the "All desktops" Button and choose "My desktops" instead. Or you type a search expression in the input field "Find a user or a desktop"

Both type of desktops allow for desktop sharing by different users, which is useful for collaboration use cases. For virtual sessions, this requires that the original user acknowledges such a request for desktop sharing. For physical desktops, this will depend on the configuration settings of the host.

 

Physical desktops are often connected to multiple monitors. In such a case the NoMachine Software offers which of the monitor(s) should be seen remotely. Type ctrl-alt-0 , choose display, then "Change Monitor" , select the screen(s) and finally confirm by hitting the "done" button 3 times
MultiMonitorSelection.png
MultiMonitorSupport.png
For both type of desktops, you have the possibility to disconnect a session (without closing it or logging out) and then reconnect later. You can reconnect from a different PC, which allows for migration scenarios, where e.g. to start your work in the office and continue your work from home, starting from the exact state where you left the session when disconnecting. Just type ctrl-alt-0 , choose "Connection" and hit the "disconnect" button. If you later start NoMachine, potentially from a different location, this session will appear in the list of "My desktops", from where you can re-connect.
Disconnect.png

Simply log out from the graphical session as you would do normally. It's recommended to close idle sessions.

If you need the best resulting image quality during remote access, e.g. to study very fine structures in black and white tomographic images, then you should choose the following settings (at the expense of the overall reaction time, which may become a bit sluggish, depending on your internet connection) Type ctrl-alt-0 -> display -> change settings and set quality (the upper bar) to 100 %. In addition you can tick the options "Disable multi-pass display encoding". See also NoMachine's Detailed description
DisplaySettings2.png

If you wish to test the procedures for remote access from your lab prior to your first remote access please contact your local contact who will arrange for access to a test machine. This will allow you to familiarize yourself with the NoMachine software as well as check the overall performance. The performance will depend mainly on the geographical distance from PSI and to a lesser extent on the available total network bandwidth of your internet connection.

Information for Beamline Scientists/Managers can be found in the internal PSI web page https://intranet.psi.ch/de/computing/photon-science-data-services

For MX

I do not get a connection. Whats wrong ?

Please check all of the following:

  • Do you have a valid PSI_account and did you use this for making the connection ? If not, get one (see above).
  • Is your local firewall allowing connections to port 4000 (NX protocol) ? If your local or your institutes firewalls blocks such outgoing connections you can try to set up an ssh tunnel via hop.psi.ch (see below).
  • Did you check with your PSI local contact that you are actually entitled to connect now ? Tthe access can depend on the date/time, e.g. for access to scheduled beamline resources.
  • Do you have a recent version of the NoMachine client installed (>= version 6.X)

There are many connection icons - which should I choose ?

On some clients the information about the name of the target machine is not always displayed. Instead you will only see who is logged in, but you do not see which machine the person is connected to. Solution: upgrade to a newer Client Version 6.x . You can select to see only your own running connections by clicking the "All desktops" button and select "My Desktops". But this will display only running or suspended virtual sessions, that you own.

I do not see the icons, which allow me to connect to the physical desktops

Sometimes you will only see the virtual session icons. In this case hit the "Back" button in the lower right corner of the NoMachine client. This should bring you to a list of machines, including the physical desktops.

I do not see the name of the computer to which I want connect

The computer name is unfortunately only shown if you choose the option list view with the view button (instead of icon or compact view). The view button is in the upper left corner of the NoMachine connection dialog.

I get a "permissioned denied" error message

If you get the error message: "Cannot create session directory:/afs/psi.ch/user/m/meier/.nx Error is:permission denied" when connecting you have to create the .nx directory once manually by typing "mkdir .nx" in the home directory of your AFS account.

My firewall rule doesn't allow access to 4000 port (outbound)

Some networks do not allow outgoing connections on port 4000. In such cases you might want to to reach out to the network administrator/responsible to allow connections to rem-acc.psi.ch on port 4000.

If this is not possible and/or feasible you can also reach rem-acc on port 22. Therefore you can adapt your NX connection settings to use port 22 instead of 4000. However make sure that you still select NX as the protocol!