总览
通常,当Bot从Automation Anywhere企业控制室部署到任何Bot Runner时,Bot都会尝试自动登录Bot Runner(如果Bot Runner被锁定或注销)。
但是,自动登录容易受到在计算机上设置的安全策略的影响,因此,可能需要放宽某些策略才能使自动登录起作用。
为了缓解这些问题,您可以使用基于RDP的Bot部署,该部署是在Control Room中从AAE 10SP2开始的,产品版本为10.5.0。
什么是基于RDP的Bot部署?
当Bot从控制室部署到Bot Runner时,控制室将通过RDP(远程桌面协议)进行Bot Runner会话并执行Bot。
这种方法的主要特点和优势
Bot在后台控制室中的Bot Runner的RDP会话中运行;在控制室上看不到任何窗口。
由于未尝试自动登录,因此可以缓解自动登录问题。仅当RDP首先失败时,才会尝试自动登录。
由于Bot Runner机器未自动登录;与“实时监控”方案相关的安全问题得到了缓解。
在控制室的Bots> My Bots> Schedule Bot页面中提供了一个选项,以启用基于RDP的Bot部署:
image.png
*为了确保基于RDP的Bot部署能够无缝运行,在控制室和Bot Runner计算机上需要完成某些先决条件和设置。以下部分详细说明了这些先决条件。
基于RDP的Bot部署的前提条件
机器人赛跑者设置
在Bot Runner机器上,需要完成2个主要设置。
-
没有关于Bot Runner的法律免责声明-当用户登录到Bot Runner时不应出现任何法律免责声明对话框。可以通过组或本地策略禁用法律免责声明。
-
必须在Bot Runner上启用RDP连接-以下是为各种机器类型的Bot Runner启用RDP连接的步骤
-
在物理机上的Bot Runner上启用RDP **
在Bot Runner计算机上,确保从``我的电脑''属性允许到Bot Runner的远程连接。另外,请确保选中“仅允许来自...的连接”复选框。 - **在虚拟机(Azure,VMWare,Oracle Virtual Box)上的Bot Runner上启用RDP **
要在虚拟机上启用RDP,请参考虚拟机主机的相应文档。 - **在Citrix XenDesktop上托管的Bot Runner上启用RDP **
要在Citrix XenDesktop上启用RDP,请参阅以下文档的文档:https://support.citrix.com/article/CTX129184/ - **在终端服务器上托管的Bot Runner上启用RDP **
请参阅有关管理远程桌面服务连接的文档。对于Windows Server 2008 R2,文档位于:[https://technet.microsoft.com/zh-cn/library/cc772051(v=ws.11).aspx(https://technet.microsoft.com/ zh-cn / library/cc772051(v = ws.11).aspx)此外,终端服务器上的用户会话必须限制为单个远程桌面服务会话。
*导航到“计算机配置”>“管理模板”>“ Windows组件”>“远程桌面服务”>“远程桌面会话主机”>“连接”,并确保启用了“将远程桌面服务用户限制为一个远程桌面服务会话”。
注意:不允许同一用户多次登录终端服务器;但是,不限制多个用户连接到终端服务器。
-
在物理机上的Bot Runner上启用RDP **
-
- *确保允许漫游器机器接受带有保存凭据的RDP请求/连接。为此,请禁用组策略漫游器计算机:
计算机配置>管理模板> Windows组件>远程桌面服务>远程桌面会话主机>安全性:“连接时总是提示输入密码”。
*启用组策略后,在RDP客户端登录期间(例如AARemoteMachineConnector.exe),计算机将再次提示输入凭据,因为目标计算机不接受用户提供了凭据的任何RDP客户端的传入连接。
控制室机器上的设置
*即使出现证书错误也允许连接。
1.在控制室机器上,确保选中“不再询问我与这台计算机的连接”。
*在Control Room AppServer计算机上,运行服务“ Automation Anywhere Control Room服务”的用户应具有管理员权限(对于UI会话)才能运行AARemoteMachineConnector.exe。
在控制室更改Bot Runner会话的屏幕分辨率
为了确保自动化在基于RDP的部署过程中无缝运行,即使Bot Runners和Control Room之间的屏幕分辨率有所不同,建议您添加Bot Runner计算机的屏幕分辨率配置。
为此,您可以配置安装路径中可用的控制室的deployment.properties文件。
C:\Program Files\Automation Anywhere\Enterprise \ Config \ deployment.properties
要配置,请添加以下内容:
rdp.desktop.height = 768
rdp.desktop.width = 1366
rdp.port = 3389
注意:必须根据需要配置高度,宽度和端口值。
使用说明
附加信息
常见问题
问:每个Bot Runner是否会有1个RDP会话?
答:可以
问:我是否需要增加控制室RAM以进行基于RDP的部署?
答:您可能要根据Bot部署方案而定。一个典型的RDP会话大约需要150MB的RAM。因此,如果您要部署到10个Bot Runner上,将消耗1.5GB RAM。如果需要广泛的Bot部署,我们建议您将RAM增加到16 GB。请参阅产品随附的《 AAE-安装指南》中“控制室的硬件要求”部分。
问:一旦Bot执行完毕,RDP会话会终止吗?
答:可以
问:控制室用户可以看到活动的RDP会话吗?
答:否。由于活动RDP会话作为后台进程运行,因此用户将无法看到它。但是,用户可以在任务管理器的运行进程列表中看到。
问:在控制室的RDP会话中执行Bot时,如果Bot Runner用户登录到Bot Runner,会影响Bot的执行吗?
答:用户登录到Bot Runner后,控制室中的RDP会话将终止。 Bot将继续运行,并且用户将在Bot Runner上看到运行情况。
问:在上述情况下,如果用户锁定/注销/断开计算机上的RDP会话,那么当前正在执行的Bot将会如何?
答:如果用户锁定/断开RDP会话,则Bot将继续在后台运行;但是,基于屏幕的命令可能会出错。如果用户注销RDP会话,则Bot执行将终止。
问:选择基于远程的Bot部署时,AA播放器需要花费更多时间。性能是否受到新功能的影响?
答:不,AA播放器会有一些延迟,因为首先必须建立RDP连接。在高延迟的环境中,RDP连接本身可能会有点慢。
问:如果RDP连接速度很慢,会产生什么影响?
答:如果控制室花了30秒到达RDP,则该Bot Runner的Bot执行启动将延迟30秒。除此之外,如果未连接RDP会话,则控制室将使用旧路由(自动登录)部署Bot。
问:如果已经有活动的RDP(由用户手动完成)并且如果Bot启动,则现有的RDP会话会从用户那里获取吗?
答:较旧的RDP会话将断开连接,并将在Control Room创建的新RDP会话上执行任务。
问:如果RDP会话在Bot执行之间崩溃,那么控制室是否会知道并重新启动会话而不会影响Bot的执行?
答:是的,RDP具有内置的重新连接功能。但这仅在一定时间内有效。因此,如果Bot Runner断开连接的时间更长,那么它将影响Bot的执行。
问:根据以上给出的答案,可能由于RDP断开而导致Bot错误。开发人员/控制室用户如何区分RDP错误与实际Bot错误之间的故障?如果不是这样,那么开发人员可能会花费很长时间(影响生产执行)来解密代码,而实际影响是由于RDP会话引起的,这可能不需要任何代码更改。
答:如果Bot错误,则将在控制室中对其进行自动审核。对于RDP断开连接的情况,我们保留了断开连接的原因列表,并将其存储到日志文件中。出于各种原因断开连接的链接,https//msdn.microsoft.com/zh-cn/library/aa382170v (= vs.85).aspx
问:如果RDP会话崩溃,即使RDP崩溃了,审核日志也会显示Bot的发生情况和状态吗?
答:是的,Bot仍将在Bot Runner上运行,并将记录成功或失败所需的审核日志。
问:我们偶尔会有RDP会话超时。控制室RDP是否会受到影响?
答:理想情况下,不应有任何RDP超时;否则会影响Bot的执行。
问:基于RDP的Bot部署也可以与Bot计划一起使用吗?
答:是的,从控制室调度机器人时,将有一个选项用于选择基于RDP的机器人部署。
问:可以使用其他RPD工具(如VM Ware客户端)进行配置吗?如果不是现在将来。
答:暂时不
问:控制室尝试RDP时,是否更改了用户的AD密码?控制室将通过与Active Directory同步来使用新密码连接吗?
答:不可以。控制室将仅获取在Automation Anywhere Enterprise Credential Vault中设置的密码。
问:如果计划将Bot部署到100个Bot Runner上,控制室将异步还是顺序地将RDP调用到所有100个Bot Runner上?
答:RDP会话将在“控制室”框上创建,并且控制室将在这些Bot Runner上异步部署Bot。
问:如果将Bot部署到10个Bot Runner上,如果控制室无法将RDP部署到5th Bot Runner上,它将迁移到6th Bot Runner上吗,否则整个过程将被杀死?
答:由于并行发生,一个Bot Runner的RDP故障不会影响另一个。控制室将移至第六个机器人执行器。
问:如果Control Room无法终止RDP会话,它将通知Control Room管理员还是登录审核跟踪?
答:否。控制室用户应手动终止Bot Runner的RDP会话。
问:如果将控制室托管在负载平衡的高可用性灾难恢复(HA-DR)模式下,是否可以使用?在哪里安装了多个控制室应用服务器?如果是,RDP会话将在哪台控制室计算机上运行?
答:可以。这将在HA-DR模式下工作。在这种情况下,RDP会话将部署在部署Bot的Control Room Server上。
=====================================================================
Overview
Typically, when a Bot is deployed from the Automation Anywhere Enterprise Control Room to any Bot Runner, the Bot will attempt to auto-login into the Bot Runner (if the Bot Runner is locked or logged off).
However, auto-login is prone to the security policies set on the machine because of which certain policies may need to be relaxed for auto-login to function.
To mitigate these issues, you can use RDP based Bot Deployment that is introduced in Control Room from AAE 10SP2 with product version 10.5.0.
What is RDP Based Bot Deployment?
When the Bot is deployed from Control Room onto the Bot Runner, the Control Room will take the Bot Runner session via RDP (Remote Desktop Protocol) and will execute the Bot.
Key features and benefits of this approach
The Bot runs in the Bot Runner’s RDP session in the Control Room in the background; no window is visible on the Control Room.
Auto-Login issues are mitigated as auto-login is not attempted; auto-login will ONLY be attempted if RDP fails in the first place.
As Bot Runner machine is not auto-logged in; the security issues related to ‘live monitor’ scenarios are mitigated.
An option has been provided in the Control Room, Bots>My Bots>Schedule Bot Page to enable RDP based Bot Deployment:
image.png
- To ensure that the RDP based Bot Deployment works seamlessly, there are certain prerequisites and settings that will be needed to be done on the Control Room and the Bot Runner machine. The following section elaborates those prerequisites.
Prerequisites for RDP Based Bot Deployment
Settings on Bot Runners
On the Bot Runner machine, there are 2 main settings that need to be done.
-
No Legal Disclaimer on Bot Runners - There should not be any legal disclaimer dialogs coming up when the user logs in into the Bot Runner. Legal disclaimers can be disable via group or local policies.
-
The RDP connection must be enabled on Bot Runner - Following are the steps to enable RDP connection for various machine types of Bot Runners
-
Enabling RDP on Bot Runner on Physical Machine
On the Bot Runner machine, ensure that remote connections to Bot Runner are allowed from My Computer’s properties. Also, make sure a checkbox “Allow connections only from...” should be checked. -
Enabling RDP on Bot Runner on Virtual Machine (Azure, VMWare, Oracle Virtual Box)
To enable RDP on Virtual Machine, please refer to the appropriate documentation of the Virtual Machine host. -
Enabling RDP on Bot Runner hosted on Citrix XenDesktop
To enable RDP on Citrix XenDesktop, please refer to its documentation at: https://support.citrix.com/article/CTX129184/ -
Enabling RDP on Bot Runner hosted on Terminal Server
Refer to the documentation on Managing Remote Desktop Services Connections. For Windows Server 2008 R2, the documentation is at: https://technet.microsoft.com/en-us/library/cc772051(v=ws.11).aspxAlso, the user session on Terminal Server must be restricted to a Single Remote Desktop Services session.
-
Enabling RDP on Bot Runner on Physical Machine
-
Navigate to Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Connections and ensure that “Restrict Remote Desktop Services users to a single Remote Desktop Services session” is enabled.
Note: Same user is NOT allowed to log in multiple times to the Terminal Server; however multiple users are not restricted from connecting to the the Terminal Server.
-
Ensure the bot runner machine is allowed to accept incoming RDP requests/connection with saved credentials. To achieve this, disable the group policy bot runner machine:
Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security: ‘Always prompt for password upon connection‘.
-
-
When the group policy is enabled, during RDP Client login (for example, AARemoteMachineConnector.exe), the machine prompts again for credentials as the target machine does not accept the incoming connections via any RDP client in which user has supplied credentials.
Settings on Control Room machine
-
Allow Connection despite certificate errors.
- On the Control Room machine, ensure that “Don’t ask me again for connections to this computer” is checked.
-
In Control Room AppServer machine, user running the service "Automation Anywhere Control Room Service" should have admin rights (for UI Session) to run AARemoteMachineConnector.exe.
Changing screen resolution for Bot Runner session on Control Room
To ensure your automation runs seamlessly during RDP based deployment even when the resolution of screen varies between Bot Runners and Control Room, it is recommended that you add the screen resolution configuration of the Bot Runner machine.
For this, you can configure the deployment.properties file of the Control Room that is available in the installation path.
-
C:\Program Files\Automation Anywhere\Enterprise\Config\deployment.properties
-
To configure, add the following:
rdp.desktop.height=768
rdp.desktop.width=1366
rdp.port=3389
Note: You must configure height, width, and port value according to your requirement.
Instructions
Additional Information
FAQs
Q: Will there be 1 RDP session per Bot Runner?
A: Yes
Q: Do I need to ramp up the Control Room RAM for RDP Based Deployment?
A:You may want to depending on the Bot Deployment scenarios. A typical RDP session takes around 150MB of RAM. So, if you are deploying onto 10 Bot Runners, 1.5GB RAM will be consumed. We recommend that you increase the RAM to 16 GB if extensive Bot deployment is required. Refer the Hardware Requirements section for Control Room in the AAE - Installation Guide that is shipped with the product.
Q: Will the RDP sessions terminated once the Bot has finished executing?
A:Yes
Q: Can a Control Room user see the active RDP Session?
A: No. User will not be able to see the active RDP Session as it runs as a background process. However, the user can see in task manager running processes list.
Q: While the Bot is executed in an RDP session on the Control Room, if the Bot Runner user logs in into the Bot Runner, will it impact the Bot execution?
A: As soon as the user logs in into the Bot Runner, the RDP session on the Control Room will terminate. The Bot will continue to run, and the user will see that running on the Bot Runner.
Q: In the above scenario, if the user locks/logs off/disconnects the RDP session on the machine, what will happen to the current executing Bot?
A: If the user locks/disconnects the RDP session, the Bot will continue to run in the background; however, the screen based commands may error out. If the user logs off the RDP session, the Bot execution will be terminated.
Q: While selecting Remote based Bot deployment, the AA player is taking more time to come up. Has the performance been affected by new functionality?
A: No, there will be some delay in the AA player to come up as first the RDP connection must be made. And in environment where there is high latency, the RDP connection itself might be bit slow.
Q: What is the impact if RDP connection is very slow?
A: If Control Room takes say 30 Seconds to RDP, then the Bot execution start-up will be delayed by 30 secs for that Bot Runner. Beyond that, if RDP session does not get connected, then the Control Room will deploy Bot with legacy route (auto-login).
Q: If there is already active RDP (manually done by the user) and if the Bot starts, will the existing RDP session be taken from user?
A: Older RDP session will be disconnected and the task will be executed on new RDP Session which is created by Control Room.
Q: If RDP Session crashes in between Bot Execution, would Control Room know and restart the session without impacting Bot execution?
A: YES, RDP has in-build capability of reconnect. But that works only for certain duration. So, if Bot Runner gets disconnect for longer time, then it will impact the execution of the Bot.
Q: With the answer given in above, there is possibility of Bot erroring due to RDP disconnection. How would a developer/Control Room User differentiate a failure between RDP Error Vs Actual Bot Error? If not, a developer may spend long time (impacting production execution) deciphering code while the actual impact was due to RDP session, which may not require any code change.
A: If Bot errors out, then it will automatically be audited in the Control Room. For RDP disconnect case, we have kept list of reasons for disconnection and we are storing this into log file. The link for various reasons for disconnection, https://msdn.microsoft.com/en-us/library/aa382170(v=vs.85).aspx
Q: If RDP Session crashes will Audit log show of that occurrence and status of Bot even though the RDP crashed?
A: YES, the Bot will be still running on Bot Runner and it will log required audit log of success or failure.
Q: We have occasional RDP session timeouts. Will Control Room RDP be impacted by it?
A: Ideally, there should not be any RDP TIMEOUT; otherwise it will impact the execution of the Bot.
Q: Will RDP based Bot Deployment work with Bot Schedules as well?
A: YES, there will an option for use to select the RDP based Bot Deployment while scheduling the Bot from Control Room.
Q: Can it be configurable with other RPD tools like VM Ware client? If not now in future.
A: Not for now
Q: When Control Room tries to RDP, If the user's AD password is changed; will Control Room connect with new password by syncing up with Active Directory?
A: NO. Control Room will only fetch the password which is set in Automation Anywhere Enterprise Credential Vault.
Q: If a Bot is scheduled to deploy onto 100 Bot Runners, will Control Room invoke RDP onto all 100 Bot Runners asynchronously or sequentially?
A: RDP sessions will be created on the Control Room box and Control Room will deploy Bot asynchronously on these Bot Runners.
Q: If a Bot is deployed onto 10 Bot Runners, If Control Room is unable to RDP onto 5th Bot Runner, will it move onto 6th Bot Runner or entire process will be killed?
A: As it is happening in parallel, RDP failure of one Bot Runner does not impact the other. The Control Room will move onto the 6th Bot Runner.
Q: If Control Room is unable to terminate the RDP session, will it notify the Control Room Admin or will it log in Audit trail?
A: No. The Control Room user should manually terminate the Bot Runner’s RDP session.
Q: Will this work if the Control Room is hosted in load-balanced high-availability disaster recovery (HA-DR) mode; where multiple Control Room Application Servers are installed? If yes, on which Control Room machine will the RDP sessions run?
A: Yes. This will work in HA-DR mode. In that case, the RDP sessions will be deployed on the Control Room Server which deploys the Bots.
网友评论