« Back to docs

VNC Server parameter reference

You can configure VNC Server by changing parameters either on the Options > Expert page or at the command line.

Note that:

  • VNC Server parameters override equivalent VNC Viewer parameters unless otherwise stated.
  • Changes made to parameters on the Expert page take effect as soon as the Apply button is clicked, unless otherwise stated.

AcceptCutText

Platform Default value
All TRUE

Specify FALSE to prevent connected VNC Viewer users pasting text to the VNC Server computer.

See also: SendCutText, ClipboardFT


AcceptKeyEvents

Platform Default value
All TRUE

Specify FALSE to prevent connected VNC Viewer users controlling the VNC Server computer using their keyboards.

Use in conjunction with AcceptPointerEvents to make connections view-only, and with AcceptCutText, SendCutText, ShareFiles, and EnableChat to prevent all user interaction with the computer.


AcceptPointerEvents

Platform Default value
All TRUE

Specify FALSE to prevent connected VNC Viewer users controlling the VNC Server computer using their mice.

Use in conjunction with AcceptKeyEvents to make connections view-only, and with AcceptCutText, SendCutText, ShareFiles, and EnableChat to prevent all user interaction with the computer.


AllowChangeDefaultPrinter

Platform Subscription Default value
All Enterprise, Professional TRUE

Specify FALSE to prevent the VNC Server computer’s default printer being changed to that of the first VNC Viewer computer that connects.

Note

This parameter is ignored unless EnableRemotePrinting is TRUE.


AllowHTTP

Platform Default value Not after
All TRUE 5.3.2

Specify FALSE to prevent VNC Viewer for Java being downloaded from VNC Server.

Note

This parameter is ignored unless AllowTcpListenRfb is TRUE.

See also: HttpPort


AllowCloudRfb

Platform Default value Since
All TRUE 6.0.0

Note

This parameter has no effect unless cloud connectivity has been enabled for the VNC Server computer. Note this is a manual operation if you have an Enterprise subscription.

Specify FALSE to prevent cloud connections to VNC Server. Existing cloud connections are not terminated.

See also: AllowTcpListenRfb


AllowTcpListenRfb

Platform Subscription Default value
All Enterprise TRUE

Specify FALSE to prevent direct connections to VNC Server. Existing direct connections are not terminated.

See also: RfbPort, TcpListenAddresses, AllowCloudRfb


AlwaysShared

Platform Default value
All FALSE

Specify TRUE or FALSE in conjunction with NeverShared, DisconnectClients, and the VNC Viewer Shared parameter to determine whether just one or multiple VNC Viewer users can connect to and control the VNC Server computer at the same time.

AlwaysShared NeverShared DisconnectClients Shared Concurrent connections allowed?
TRUE FALSE ignored ignored Yes.
FALSE TRUE TRUE ignored No. A new user will disconnect an existing user.
FALSE TRUE FALSE ignored No. A new user will not be able to connect.
FALSE FALSE ignored TRUE Yes.
FALSE FALSE TRUE FALSE No. A new user will disconnect an existing user.
FALSE FALSE FALSE FALSE No. A new user will not be able to connect.

Authentication

Platform Default value Since
All <subscription-specific> 5.3.0

Note

This parameter replaces SecurityTypes from version 5.3.0, in conjunction with Encryption.

If you have an Enterprise or Professional subscription, specify the authentication scheme to use for VNC Server.

Note

Do not edit this parameter if you have a Home subscription, or remote access will not be available.

Authentication scheme Default parameter value Subscription availability How does a VNC Viewer user authenticate?
VNC password VncAuth Enterprise, Professional, Home A password specific to VNC Server.
System authentication SystemAuth Enterprise, Professional User account (system login) credentials.
Single sign-on SingleSignOn,SystemAuth Enterprise User account credentials, provided transparently.
Smartcard/certificate store Certificate Enterprise, Professional An X.509 certificate, provided transparently.
System authentication + RADIUS authentication SystemAuth+Radius Enterprise, Professional User account credentials, and then responses to a third party RADIUS server.
None None Enterprise  

Note that:

  • VncAuth is the only scheme that allows direct connections from VNC-compatible Viewer projects from third parties.
  • If single sign-on fails for any reason, the default , character indicates that VNC Server will automatically fall back to SystemAuth.
  • You can create your own multi-factor custom authentication scheme by unioning parameter values using the + character.
  • Only specify None for direct connections to internal computers only, and never for direct connections to computers over the Internet, nor for cloud connections. A simple port scanning attack could see your computer taken over by a malicious entity.

See also: Encryption


AuthTimeout

Platform Default value
All 120

Specify a number of seconds to give connecting VNC Viewer users time to enter authentication credentials. After this, connections are rejected, even if the correct credentials are supplied.

Specify 0 to give connecting users unlimited time.

Note

This parameter is ignored if Authentication is set to None.

See also: BlacklistThreshold, IdleTimeout


AutoLogonOverride

Platform Mode Default value
Windows Service FALSE

Specify TRUE to allow connected VNC Viewer users pressing the Shift key while logging off from the VNC Server computer to override the ForceAutoLogon and IgnoreShiftOverride Windows Registry values, and show the login screen. This enables connected users to choose a different user account to log back on to.

By default, the Shift key press is ignored and the same user account is automatically logged back on.


BlackListThreshold

Platform Default value
All 5

Specify a number of unsuccessful authentication attempts that can be made from a VNC Viewer computer (identified by its IP address) before all connections from that computer are rejected for BlacklistTimeout. This may help protect against brute-force dictionary attacks on the VNC Server password.

Note

This parameter is ignored if Authentication is set to None. Under Linux, if Authentication is SystemAuth, the underlying authentication system may also provide a protection mechanism after 10 unsuccessful attempts.

Specify 0 to allow unlimited unsuccessful authentication attempts from a VNC Viewer computer.


BlackListTimeout

Platform Default value
All 10

Specify a number of seconds during which connections from the VNC Viewer computer identified by BlacklistThreshold are forbidden. After this time, one further unsuccessful authentication attempt is permitted before BlacklistTimeout is doubled and applied again.

Note

To reset BlacklistThreshold and BlacklistTimeout to their original values, restart VNC Server.


BlankScreen

Platform Default value
Windows FALSE

Specify TRUE to blank the monitor of the VNC Server computer when VNC Viewer users are connected, in order to protect their privacy.

Note

This parameter has no effect under Windows 8 or later.


CaptureMethod

Platform Mode Default value
Windows, Linux Service, User 0

Note

This parameter was called UpdateMethod until version 5.3.0.

Specify one of the values in the platform-specific section below to determine the method used by VNC Server to capture changes to the computer desktop, in order to send screen updates to VNC Viewer. Note all connections must be terminated before changes to this parameter take effect.

Windows

  • 0 to use the optimal method. For VNC Server in Service Mode on Windows 8 or later, this is DirectX; on earlier platforms, VNC Mirror Driver, if it is installed. For User Mode, the optimal method is polling since Windows XP.

    Note

    VNC Mirror Driver is typically quick and effective, though it may not capture some DirectX or OpenGL applications, nor interface correctly with some graphics cards.

  • 1 to poll the display system for changes to the entire desktop. This may be the slowest method, but can be useful to track changes to applications that interface directly with the graphics card.

  • 2 to use application hooks to monitor messages sent to ascertain whether application content has changed. Note this method is not effective on most Windows platforms.

Linux

  • 0 to use the optimal method, which is the DAMAGE extension if it is enabled and responsive, and to fall back to polling if not.
  • 1 to poll the display system for changes to the entire desktop. This may be the slowest method, but can be useful to track changes to applications that interface directly with the graphics card.
  • 2 to force use of the DAMAGE extension, and not fall back to polling. If DAMAGE is not working correctly, some regions may not update correctly but CPU utilization will be minimized.

See also: UseCaptureBlt, PollInterval


ClipboardFT

Platform Subscription Default value
Windows Enterprise, Professional TRUE

Specify FALSE to prevent connected VNC Viewer users on Windows computers exchanging files with the VNC Server computer using the standard operating system copy and paste mechanism.

Note

VNC Server must be restarted in order for a change to this parameter to take effect. In addition, this parameter is ignored unless AcceptCutText and SendCutText are both TRUE.

See also: ShareFiles


ConnectToExisting

Platform Subscription Mode Default value
Linux Enterprise Virtual Daemon 0

Specify 1 to cause individual virtual desktops created on demand by the vncserver-virtuald daemon to persist when their VNC Viewer user disconnects. When the VNC Viewer user reconnects to the daemon using the same authentication credentials, that user is redirected to their still-running virtual desktop.

By default, a virtual desktop created on demand by the daemon is destroyed when the last VNC Viewer user disconnects.


ConnNotifyTimeout

Platform Default value
All 4

Specify a number of seconds between 1 and 255 to display connection and disconnection notification messages for.

Specify 0 to disable notification messages.

See also: QueryConnect


ConnTimeout

Platform Default value
All 0

Specify a number of seconds for connections to last. By default there is no timeout, though IdleTimeout disconnects if the VNC Viewer user is inactive.


DaemonPort

Platform Subscription Mode Default value
Linux Enterprise Virtual Daemon 5999

Specify a number between 1 and 65535 representing an available TCP port on which the vncserver-virtuald daemon can listen for direct connection requests from VNC Viewer, in order to create virtual desktops on demand.


Desktop

Platform Default value
All <mode-specific>

Specify a name for the VNC Server computer desktop to display on the title bar of connected VNC Viewer app windows.

Note

VNC Server must be restarted in order for a change to this parameter to take effect.


DisableAddNewClient

Platform Subscription Default value
All Enterprise FALSE

Specify TRUE to disable the Connect to Listening VNC Viewer option on the VNC Server shortcut menu, preventing users establishing reverse direct connections via the user interface. Note that reverse direct connections can still be established from the command line.

See also: DisableTrayIcon, DisableClose, DisableOptions


DisableAero

Platform Default value
Windows FALSE

Specify TRUE to disable Windows Aero (the default graphical user interface and theme in most editions of Windows Vista and 7) while sessions are in progress. This may improve performance.

See also: DisableEffects, RemovePattern, RemoveWallpaper


DisableClose

Platform Default value
All FALSE

Specify TRUE to disable the Stop VNC Server option on the VNC Server shortcut menu, preventing users stopping VNC Server via the user interface.

Note

VNC Server can still be stopped from the command line, or (for example) using Control Panel > Administrative Tools > Services under Windows.

See also: DisableTrayIcon, DisableClose, DisableOptions


DisableEffects

Platform Default value
Windows FALSE

Specify TRUE to disable particular graphical user interface effects such as font smoothing while sessions are in progress. This may improve performance.

See also: DisableAero, RemovePattern, RemoveWallpaper


DisableLocalInputs

Platform Default value
Windows FALSE

Specify TRUE to disable the keyboard and mouse of the VNC Server computer while sessions are in progress, preventing a local user interrupting connected VNC Viewer users.

See also: AcceptKeyEvents


DisableOptions

Platform Default value
All FALSE

Specify TRUE to disable the Options option on the VNC Server shortcut menu, preventing users configuring VNC Server via the user interface.

Note

VNC Server can still be configured from the command line.

See also: DisableAddNewClient, DisableClose, DisableTrayIcon


DisableTrayIcon

Platform Default value
All 0

Specify one of the following values to control the appearance of the VNC Server icon in the notification tray (Windows and Linux) or on the Status Bar (Mac):

  • 0 to show the VNC Server icon at all times.
  • 1 to hide the VNC Server icon while no sessions are in progress, preventing a local user performing certain operations via the user interface. The icon is shown when a connection is first established.
  • 2 to hide the VNC Server icon permanently. This is effective only for OEM license keys.

See also: DisableAddNewClient, DisableClose, DisableOptions


DisconnectAction

Platform Mode Default value
Windows, Mac Service NONE

Specify one of the following values to determine the behavior of the VNC Server computer when the last user disconnects (or is disconnected):

  • None to leave the computer ‘as is’ (that is, potentially with a user account logged on).
  • Lock to lock the computer. Connections can immediately be re-established, but at least one connected VNC Viewer user must know how to unlock the computer in order to continue.
  • Either:
    • Under Windows, Logoff to log the current user account out. Connections can immediately be re-established, but at least one connected user must log on to a user account in order to continue.
    • Under Mac, StartScreensaver to start the screen saver.

DisconnectClients

Platform Default value
All TRUE

See AlwaysShared.


display

Platform Mode Default value
Linux Service, User  

Specify the X Window display and optionally the screen number to remote to connected VNC Viewer users, for example :1.0.

Note

This parameter overrides the DISPLAY environment variable.

See also: DisplayDevice, Monitor


DisplayDevice

Platform Default value
Windows  

Specify the name of a particular monitor or similar device attached to the VNC Server computer to remote to connected VNC Viewer users, for example \\.\Display1. Available names (IDs) are shown on the Diagnostics page of the Information Center dialog.

Note

All existing connections must be terminated in order for a change to this parameter to take effect.

By default, or if the value is not recognized, all monitors are remoted.

See also: Monitor, display


EnableAutoUpdateChecks

Platform Default value
All <subscription-specific>

Specify:

  • 0 to prevent VNC Server automatically checking for critical software patches and product updates to which you are entitled every UpdateCheckFrequencyDays.
  • 1 to ensure VNC Server automatically checks.
  • 2 to cause VNC Server to prompt for one of the options above at install-time.

See also: EnableManualUpdateChecks


EnableChat

Platform Subscription Default value
All Enterprise, Professional FALSE

Specify FALSE to prevent connected VNC Viewer users participating in chat sessions.


EnableGuestLogin

Platform Subscription Default value
All Enterprise FALSE

Specify TRUE to turn on the Guest Login option on the VNC Server shortcut menu, allowing particular connecting VNC Viewer users to bypass the VNC Server authentication scheme.

Note

This parameter is ignored if GuestAccess is set to 0.


EnableManualUpdateChecks

Platform Default value
All TRUE

Specify FALSE to disable the Check for updates option on the VNC Server shortcut menu, preventing checking for critical software patches or product updates.

See also: EnableAutoUpdateChecks


EnableRemotePrinting

Platform Subscription Default value
All Enterprise, Professional TRUE

Specify FALSE to prevent connected VNC Viewer users printing VNC Server computer files to their local printers.

See also: AllowChangeDefaultPrinter


Encryption

Platform Default value Since
All AlwaysOn 5.3.0

Note

This parameter replaces SecurityTypes from version 5.3.0, in conjunction with Authentication.

If you have an Enterprise subscription, determine, in conjunction with VNC Viewer, whether:

  • Remote control sessions are upgraded to 256-bit AES (available for both cloud connections and direct connections).
  • The initial exchange of authentication credentials is encrypted, but subsequent sessions are unencrypted (direct connections only). Turning encryption off may register a small performance benefit, but data may be decipherable if intercepted by malicious parties.

Note

Do not edit this parameter if you have a Home or Professional subscription, or remote access will not be available.

By default, AlwaysOn means that sessions are encrypted end-to-end using 128-bit AES. From the table below, choose a different value appropriate to the level of encryption you wish VNC Server to offer.

Encryption preference Parameter value Connection method
Always Maximum AlwaysMaximum Cloud and direct
Always on AlwaysOn Cloud and direct
Prefer on PreferOn Direct only
Prefer off PreferOff Direct only
Always off AlwaysOff Direct only

Note that the actual level of encryption that results for a connection depends upon the preference set by the connecting user; see the VNC Viewer Encryption parameter. Note some combinations prevent VNC Viewer users being able to connect:

VNC Server Encryption parameter VNC Viewer Encryption parameter Resulting level of encryption
AlwaysMaximum Server 256-bit AES
AlwaysMaximum 256-bit AES
AlwaysOn 256-bit AES
PreferOn 256-bit AES
PreferOff 256-bit AES
AlwaysOn Server 128-bit AES
AlwaysMaximum 256-bit AES
AlwaysOn 128-bit AES
PreferOn 128-bit AES
PreferOff 128-bit AES
PreferOn Server 128-bit AES
AlwaysMaximum 256-bit AES
AlwaysOn 128-bit AES
PreferOn 128-bit AES
PreferOff Unencrypted direct connection
PreferOff Server Unencrypted direct connection
AlwaysMaximum 256-bit AES
AlwaysOn 128-bit AES
PreferOn 128-bit AES
PreferOff Unencrypted direct connection
AlwaysOff Server Unencrypted direct connection
AlwaysMaximum Cannot connect
AlwaysOn Cannot connect
PreferOn Unencrypted direct connection
PreferOff Unencrypted direct connection

See also: Authentication


GuestAccess

Platform Subscription Default value
All Enterprise  

Determine whether VNC Viewer users can connect as guests, bypassing the VNC Server authentication scheme. In addition, grant session permissions to connected guests.

Note

For a value other than 0, EnableGuestLogin must also be set to TRUE.

Specify a value consisting of one or particular combinations of the following characters:

  • 0 or blank to prevent users connecting as guests, even if EnableGuestLogin is TRUE.
  • s to allow connected guests to view the desktop. Note that omitting this value means guests see a blank screen.
  • v to give connected guests a view-only set of permissions (equivalent to s in this release).
  • k to allow connected guests to exercise control using their keyboards (subject to AcceptKeyEvents).
  • p to allow connected guests to exercise control using their mice (subject to AcceptPointerEvents).
  • c to allow connected guests to copy and paste text between the computers (subject to SendCutText and AcceptCutText).
  • t to allow connected guests to transfer files between the computers (subject to ShareFiles).
  • r to allow connected guests to print to local printers (subject to EnableRemotePrinting).
  • h to allow connected guests to chat (subject to EnableChat).
  • d to give connected guests a default set of permissions (equivalent to skpctrh).
  • q to allow connected guests to bypass connection prompts (subject to QueryConnect).
  • f to give connected guests a full set of permissions (equivalent to dq).

For example, skpc grants connected guests viewing (s), controlling (k and p), and copy and paste (c) permissions. The other permissions are omitted, which means the corresponding features are not available.


Hosts

Platform Subscription Default value
All Enterprise  

Filter incoming direct connections by IPv4 address. VNC Viewer computers can either be permitted to connect, be rejected, or be flagged up for verification by a VNC Server computer (or an already-connected) user.

Note

This parameter does not filter cloud connections.

Note

The default + value permits direct connections from all VNC Viewer computers. Note that changing this default means connecting users will no longer be able to specify IPv6 addresses in order to connect.

Specify an ordered, comma-separated list of actions and network addresses, each of the form:

<action><ip address-or-range>

where <action> is either:

  • + to permit direct connections
  • - to reject direct connections
  • ? to flag direct connections

and <ip address-or-range> is either a particular IPv4 address, or a range suffixed by a forward slash (/) and either a subnet mask (for example 192.168.0.187/255.255.0.0) or the number of bits in the routing prefix (for example 192.168.0.187/24).

Consider the following example:

+192.168.0.1,?192.168.4.0/255.255.255.0,-

  • The first entry permits direct connections from a VNC Viewer computer with the IP address 192.168.0.1.
  • The second entry flags direct connections from any VNC Viewer computer situated in the 192.168.4 subnet.
  • The third entry rejects direct connections from all other VNC Viewer computers.

To exclude particular addresses (or small ranges) from within an included range, add the address and suitable subnet mask before the include entry and prefix with .

See also: localhost


HttpPort

Platform Default value Not after
All 5800 5.3.2

Specify a number between 1 and 65535 representing an available TCP port from which VNC Viewer for Java can be downloaded from VNC Server. This can be the same as RfbPort, to simplify firewall and router configuration. Note that ports 1 to 1024 are restricted by some operating systems.

Note

This parameter is ignored unless AllowHTTP and AllowTcpListenRfb are TRUE.


IdleTimeout

Platform Default value
All 3600

Specify a number of seconds to wait before disconnecting VNC Viewer users who have not interacted with the VNC Server computer during that time.

Specify 0 to never disconnect idle users.

See also: DisconnectAction


KerberosPrincipalName

Platform Subscription Default value
Mac, Linux Enterprise host/<computer-name>

Specify the ‘host’ service principle name as it is registered for the VNC Server computer with the domain controller, for example host/papaya.dev.acmecorp.com. This may be useful if connecting VNC Viewer users are experiencing problems authenticating automatically to VNC Server.

Note

This parameter is ignored unless Authentication is set to SingleSignOn.


LeftCmdKey

Platform Default value
Mac Alt_L

Map one of the following keysyms received from VNC Viewer to the left Command key:

  • Alt_L
  • Alt_R
  • Super_L
  • Super_R
  • ExtendedChars

The default value of Alt_L means that, for connections from:

  • Windows or Linux computers with PC keyboards, connected users can press the left Alt key to simulate a press of the left Command key.
  • Mac computers, it is recommended you do not change this parameter unless you are also able to make the same change to the VNC Viewer LeftCmdKey parameter, which by default maps the left Command key to the Alt_L keysym.

Note that ExtendedChars refers to the key typically used to create extended characters, for example AltGr on non-US PC keyboards.

Note

This parameter is ignored unless AcceptKeyEvents is TRUE.

See also: LeftOptKey, RightCmdKey, RightOptKey


LeftOptKey

Platform Default value
Mac ExtendedChars

See LeftCmdKey, but for the left Option key.


Locale

Platform Default Value
All  

Specify one of the following values to choose a display language for VNC Server:

  • en_US for English
  • fr_FR for French
  • de_DE for German
  • es_ES for Spanish

By default, this parameter is empty, and the VNC Server user interface inherits the desktop language of the currently logged-on computer user, or falls back to English if this language has not yet been translated in the software.

There are two aspects to the display language; specifying this parameter in different locations enables these aspects to be controlled separately (if required):

  • The language in which the VNC Server user interface is displayed. Note VNC Server must be restarted in order for any change to take effect.
  • The language in which connectivity and other messages are transmitted to VNC Viewer users.

To change the user interface language, specify this parameter:

  • Under Windows, in the Software\RealVNC\vncserverui-service (Service Mode) or Software\RealVNC\vncserverui-user (User Mode) Registry key. Note these keys are both in the HKEY_CURRENT_USER hive.
  • Under Linux, in the vncserverui-service (Service Mode), vncserverui-user (User Mode), or vncserverui-virtual (Virtual Mode) VNC configuration file. You can create these files if they do not exist in any appropriate location in this table.
  • Under Mac, in the vncserverui-service (Service Mode) or vncserverui-user (User Mode) VNC configuration file. You can create these files if they do not exist in any appropriate location in this table.

To change the language of transmitted messages, you can either edit this parameter on VNC Server’s Options > Expert page, or alternatively specify it:

  • Under Windows, in the HKEY_LOCAL_MACHINE\Software\RealVNC\vncserver (Service Mode) or HKEY_CURRENT_USER\Software\RealVNC\vncserver (User Mode) Registry key.
  • Under Linux, in the /root/.vnc/config.d/vncserver-x11 (Service Mode), ~/.vnc/config.d/vncserver-x11 (User Mode), or ~/.vnc/config.d/Xvnc (Virtual Mode) VNC configuration file.
  • Under Mac, in the /var/root/.vnc/config.d/vncserver (Service Mode) or ~/.vnc/config.d/vncserver (User Mode) VNC configuration file.

Note

Under Linux and Mac, you can configure both language aspects together (and for all programs) by specifying this parameter in a global location such as /etc/vnc/config.d/common.custom.


localhost

Platform Subscription Default value
All Enterprise FALSE

Specify TRUE to only permit direct connections from VNC Viewer running on the same computer as VNC Server.

Note

This parameter does not affect cloud connections.

See also: Hosts


Log

Platform Default value
All <platform-specific>

Record information about the main VNC Server process.

Note

It is possible to separately record information about sub-processes, for example the VNC Server service under Windows.

Specify an ordered, comma-separated list of activities, each of the form:

<log>:<target>:<level>

where:

  • <log> determines the type of activity to record, for example connection, printing or file transfer activity, or * to record all. To see a list of available logs, examine the Log names section in the advanced help output (run the command <app> -help all).
  • <target> determines the output destination:
    • Under Windows, either stderr, file (configured using LogDir and LogFile), or EventLog (to write to the Windows Event Log service).
    • Under Mac and Linux, either syslog (configured using SyslogFacility under Linux), stderr or file.
  • <level> determines severity: 0 includes only serious errors, 10 includes basic audit information, 30 includes general information, and 100 includes all possible information, potentially including keystrokes.

Consider the following example:

*:file:10,Connections:file:100

  • The first entry (*:file:10) specifies that all activity is recorded to file at level 10.
  • The second entry (Connections:file:100) overrides this for connection activity, recording it (to the same file) at level 100.

LogDir

Platform Default value
All <platform-specific>

Specify a directory in which VNC Server should create a LogFile. This location must be writable.

Note

This parameter is ignored unless at least one Log entry has an output destination of file.

For example, under Windows X:\my\file\server\realvnc\logs\${COMPUTERNAME}\vncserver specifies a file share mapped to drive X, and distinguishes the name of the originating computer.


LogFile

Platform Default value
All <platform-specific>

Specify a name for the file VNC Server should create in LogDir, for example realvnc-debug.log.

Note

This parameter is ignored unless at least one Log entry has an output destination of file.


Monitor

Platform Default value
Mac -1

Specify the number of a particular monitor or similar device attached to the VNC Server computer to remote to connected VNC Viewer users, for example 0 for the primary monitor, 1 for a secondary monitor, and so on.

Note

All existing sessions must be terminated in order for a change to this parameter to take effect.

By default, or if the value is not recognized, all monitors are displayed.

See also: DisplayDevice, display


NeverShared

Platform Default value
All FALSE

See AlwaysShared.


NtLogonAsInteractive

Platform Subscription Default value
Windows Enterprise, Professional FALSE

Specify TRUE to establish connections as Interactive logon type 2 rather than Network logon type 3.

Note

This parameter is ignored unless Authentication includes SystemAuth.

This may be useful if user accounts valid for logging on to the VNC Server computer (and whose credentials VNC Viewer users therefore supply in order to connect) are not accorded the higher privileges of the Network logon type, and would consequently be rejected. Alternatively, if network access to a domain controller cannot be guaranteed, connections may be more reliable since the Interactive logon type caches credentials.

See also: Permissions


PamAccountCheck

Platform Subscription Default value
Linux, Mac Enterprise, Professional TRUE

Specify FALSE to check just PAM authentication rules. By default, PAM account rules are checked as well.

Note

This parameter is ignored unless Authentication includes SystemAuth.

This may be useful if connecting VNC Viewer users are experiencing problems authenticating to VNC Server, since account rule checks must be run as root.

See also: PamApplicationName


PamApplicationname

Platform Subscription Default value
Linux, Mac Enterprise, Professional vncserver

Specify vncserver.custom to use the custom PAM library and authentication and account rules specified:

  • Under modern versions of Linux or Mac, in the /etc/pam.d/vncserver.custom file.
  • Under Solaris, HP-UX, and older versions of Linux, by lines starting vncserver.custom in the /etc/pam.conf file.

Note

This parameter is ignored unless Authentication includes SystemAuth.

Under Linux, this may be useful to enable connecting users to authenticate to VNC Server using the credentials of domain accounts.

See also: PamAccountCheck, UsePam


Password

Platform Default value
All  

Specify a password specific to VNC Server in the correct obfuscated format.

Note

This parameter is ignored unless Authentication is set to VncAuth.

This parameter is normally set automatically when you install VNC Server or attempt to run it for the first time. It is not normally necessary to set it manually. For this reason, it does not appear on VNC Server’s Options > Expert page.

You can set this parameter manually in policy template files. Use the vncpasswd utility with the -print flag to generate a password in the correct format.


Permissions

Platform Subscription Default value
All Enterprise, Professional <platform-specific>

Register user accounts or groups with VNC Server so connecting VNC Viewer users are able to authenticate. In addition, grant session permissions to use remote control features while connections are in progress.

Note

This parameter is ignored if Authentication is set to VncAuth. Note also that VNC Permissions Creator is freely available to help create a permissions string in the correct format for VNC Server.

Certain user accounts/groups are pre-registered to provide connectivity out-of-the-box. More information on setting up domain accounts under Linux is available here.

Specify a comma-separated list of users/groups and permissions, each of the form:

<name>:<feature>

where <name> is the name of a valid user account, preceded by % to distinguish a group, and <feature> is a string consisting of particular combinations of at least one of the following characters:

  • s to allow connected users to view the desktop. Note that omitting this value means users see only a blank screen.
  • v to give connected users a view-only set of permissions (equivalent to s in this release).
  • k to allow connected users to exercise control using their keyboards (subject to AcceptKeyEvents).
  • p to allow connected users to exercise control using their mice (subject to AcceptPointerEvents).
  • c to allow connected users to copy and paste between computers (subject to SendCutText and AcceptCutText).
  • t to allow connected users to transfer files between the computers (subject to ShareFiles).
  • r to allow connected users to print to local printers (subject to EnableRemotePrinting).
  • h to allow connected users to chat (subject to EnableChat).
  • d to give connected users a normal set of permissions (equivalent to skpctrh).
  • q to allow connected users to bypass connection prompts (subject to QueryConnect).
  • f to give connected users an administrative set of permissions (equivalent to dq).

Note

Under Linux and Mac, you can omit <name> to infer the VNC Server process owner (User Mode and Virtual Mode) or the root user account (Service Mode). Under Windows, you can use the built-in CREATOR OWNER user to infer the VNC Server process owner (User Mode) or the currently-logged on user account (Service Mode).

Specifying a character corresponds to turning the Allow checkbox on for that feature on VNC Server’s Options > Users & Permissions page. Other behaviors can be modelled as follows:

  • Omit a character to disallow that feature, corresponding to turning the Allow checkbox off. Note that for a group, this can be overridden by individual members. Alternatively, specify -<feature> to disallow that feature from a set, so for example johndoe:d-t grants a normal set of permissions, with the exception of file transfer.
  • ! to explicitly deny a feature, corresponding to turning the Deny checkbox on. This cannot be overridden.

Note

If you use - (to disallow) and ! (to deny) then the order of characters must be allow > disallow > deny.

Consider the following example:

superuser:f,%vncusers:d,johndoe:v,janedoe:skp-t!r

  • The superuser user account grants an administrative set of permissions.
  • The vncusers group grants a normal set of permissions.
  • The johndoe user account grants view-only permissions (assuming johndoe is not a member of vncusers).
  • The janedoe user account grants viewing (s) and controlling permissions (k and p), disallows file transfer, and explicitly denies printing. No position is taken on copy and paste (c) or chat (h). If janedoe is a member of vncusers, then any grant of these permissions is inherited, and those two features are allowed. If janedoe is not a member of vncusers, then these features are disallowed.

PollCursorTime

Platform Mode Default value
Linux Service, User 100

Specify a number of milliseconds to wait before polling the display system for cursor movement.


PollInterval

Platform Mode Default value
Linux Service, User 50

Specify a number of milliseconds to wait before polling the display system for screen updates. A larger number may improve performance, at a potential risk of increasing latency.

Note

This parameter is ignored unless CaptureMethod is set to 0.


ProtocolVersion

Platform Default value
All  

If you have an Enterprise subscription and intend to establish direct connections only, specify a particular value to compel VNC Server to advertize only that version or lower of the underlying RFB protocol.

Note

Do not edit this parameter if you have a Home or Professional subscription, or an Enterprise subscription and intend to establish cloud connections, or remote access will not be available.

  • 3.3
  • 3.7
  • 3.8
  • 4.0
  • 4.1
  • 5.0

The lower the version, the wider the range of VNC-compatible Viewer technology from third parties able to establish direct connections, but the fewer the premium features (such as encryption, file transfer, printing, and chat) available to connected users.

By default, the latest version of the RFB protocol is advertized.


QueryConnect

Platform Default value
All FALSE

Specify TRUE to display connection prompts when particular VNC Viewer users connect. Either a local computer user (if one is present) or an already-connected VNC Viewer user can choose to accept connections, make connections view only, or reject them. If no-one is available, connections are automatically granted QueryTimeoutRights after QueryConnectTimeout.

Note

Some VNC Viewer users may have sufficient session permissions to bypass connection prompts.

See also: QueryOnlyIfLoggedOn


QueryConnectTimeout

Platform Default value
All 10

Specify a number of seconds to display connection prompts for. If no response is received (either from a local computer user or an already-connected VNC Viewer user) during this time, connections are automatically granted QueryTimeoutRights.

See also: QueryConnect


QueryOfferViewOnly

Platform Default value Since
All TRUE 6.2.0

Specify FALSE to hide the view-only option from the connection prompt, leaving only the reject and accept options.

See also: QueryConnect


QueryOnlyIfLoggedOn

Platform Mode Default value
All Service, Virtual FALSE

Not recommended for VNC Server in Service Mode on Mac in this release.

Specify TRUE to display connection prompts only if a user account is currently logged on, and therefore a local computer user is likely to be present. (For VNC Server in Virtual Mode under Linux, the equivalent is if at least one VNC Viewer user is already connected, since no local computer user can be ‘present’ at a virtual desktop.)

Note

This parameter is ignored unless QueryConnect is TRUE.

If no user account is logged on (or if no VNC Viewer user is connected in Virtual Mode), connection prompts are not displayed and all connections are automatically granted QueryTimeoutRights.


QueryTimeoutRights

Platform Default value
All  

Determine whether connections exceeding QueryConnectTimeout are accepted or rejected, and grant session permissions to connected VNC Viewer users.

Note

This parameter is ignored unless QueryConnect is TRUE.

Specify a value consisting of one or particular combinations of the following characters:

  • A null value (QueryTimeoutRights=) to reject connections.
  • s to allow connected users to view the desktop. Note that omitting this value means users see a blank screen.
  • v to give connected users a view-only set of permissions (equivalent to s in this release).
  • k to allow connected users to exercise control using their keyboards (subject to AcceptKeyEvents).
  • p to allow connected users to exercise control using their mice (subject to AcceptPointerEvents).
  • c to allow connected users to copy and paste text between computers (subject to SendCutText and AcceptCutText).
  • t to allow connected users to transfer files between computers (subject to ShareFiles).
  • r to allow connected users to print to local printers (subject to EnableRemotePrinting).
  • h to allow connected users to chat (subject to EnableChat).
  • d to give connected users a default set of permissions (equivalent to skpctrh).

For example, skpc grants connected users viewing (s), controlling (k and p), and copy and paste (c) permissions. The other permissions are omitted, which means the corresponding features are not available.

See also: QueryOnlyIfLoggedOn


QuitOnCloseStatusDialog

Platform Default value
All FALSE

Specify TRUE to stop VNC Server if the VNC Server dialog is closed.

By default, closing merely hides the dialog; it can be shown again from the VNC Server icon under most operating systems.


RandR

Platform Subscription Mode Default value
Linux Enterprise Virtual  

Specify a comma-separated list of geometries to offer the RandR X Window extension, if enabled.

For example, specifying 1024x768,1280x1024,800x600 enables a connected VNC Viewer user to cycle between the three geometries by running the command xrandr -s <0|1|2>.


RemapKeys

Platform Default value
All  

Map or swap keyboard keys. This may be useful if VNC Viewer computer keyboards are likely to be different to the VNC Server computer keyboard.

Specify a comma-separated list of X Window hexadecimal keysyms, either of the form:

  • keysym<>keysym to swap keysyms, for example 0x22<>0x40 to swap " and @.
  • keysym->keysym to map from the first keysym to the second, for example 0x6d->0x6e to cause m to be interpreted as n.

See also: AcceptKeyEvents


RemovePattern

Platform Default value
Windows FALSE

Specify TRUE to replace a repeating pattern on the VNC Server computer’s desktop (under old versions of Windows) with a plain background while a session is in progress. This may improve performance.

See also: RemoveWallpaper, DisableAero, DisableEffects


RemoveWallpaper

Platform Default value
Windows FALSE

Specify TRUE to replace a picture or photo on the VNC Server computer’s desktop with a plain background while a session is in progress. This may improve performance.

See also: RemovePattern, DisableAero, DisableEffects


RfbPort

Platform Subscription Default value
All Enterprise 5900

Specify a number between 1 and 65535 representing an available TCP port on which VNC Server can listen for direct connections. Note that ports 1 to 1024 are restricted by some operating systems.

Note

This parameter is ignored if AllowTcpListenRfb is FALSE.

The default port, 5900, is registered for use by VNC Server with the Internet Assigned Numbers Authority (IANA), and does not need to be explicitly identified by connecting VNC Viewer users.


RightCmdKey

Platform Default value
Mac Super_L

See LeftCmdKey, but for the right Command key.


RightOptKey

Platform Default value
Mac ExtendedChars

See LeftCmdKey, but for the right Option key.


RootSecurity

Platform Subscription Mode Default value
Linux, Mac Enterprise User, Virtual FALSE

Specify TRUE to protect the system credentials of connecting VNC Viewer users from observation by a VNC Server process owner who is not root.

See also: Authentication


RsaPrivateKeyFile

Platform Default value
Linux, Mac $HOME/.vnc/private.key

Specify the full path to a file storing a private key for VNC Server.

Note

VNC Server in Service Mode runs as the root user.

If the private key is missing or corrupt, VNC Viewer users cannot connect. To generate a new private key, stop and restart VNC Server.

See also: Encryption


SecurityTypes

Platform Default value Not after
All <platform-specific> 5.2.3

Note

This parameter has been replaced by Authentication and Encryption from version 5.3.0.

If VNC Server has a VNC 5.x Enterprise or a Personal license key, determine, in conjunction with VNC Viewer, whether:

  • Connections are encrypted end-to-end.
  • The exchange of authentication credentials is encrypted, but subsequent sessions are not. This means data transmitted while sessions are in progress may be susceptible to interception by a third parties.

Note

If VNC Server has a Free license key, connections cannot be encrypted. Authentication credentials, however, are protected by a challenge-response mechanism.

From the table below, specify the ordered, comma-separated combination of security types appropriate to the level of encryption you wish to offer, for the authentication scheme you have chosen (see UserPasswdVerifier). For each connection request, VNC Server offers security types in left-to-right order; VNC Viewer selects the first that accords with the preferences set by the connecting user (see the VNC Viewer Encryption parameter).

Note

Certain security types prevent connections from earlier versions of VNC Viewer (and VNC-compatible Viewer technology from third parties).

Authentication scheme Encryption preference Security types Reverse security types
System authentication Always maximum RA2:256+ RA2:256+
Always on RA2 RA2
Prefer on RA2,RA2ne RA2,RA2ne,None
Prefer off RA2ne,RA2 RA2ne,None,RA2
Single sign-on Always maximum SSO:256+,RA2:256+ RA2:256+
Always on SSO,SSPI,RA2 RA2
Prefer on SSO,SSPI,RA2,SSOne,SSPIne,RA2ne RA2,RA2ne,None
Prefer off SSOne,SSPIne,RA2ne,SSO,SSPI,RA2 RA2ne,None,RA2
VNC password Always maximum RA2:256+ RA2:256+
Always on RA2 RA2
Prefer on RA2,RA2ne,VncAuth RA2,RA2ne,None
Prefer off RA2ne,VncAuth,RA2 RA2ne,None,RA2
None Always maximum RA2:256+ RA2:256+
Always on RA2 RA2
Prefer on RA2,RA2ne,None RA2,RA2ne,None
Prefer off RA2ne,None,RA2 RA2ne,None,RA2

It is possible to specify a custom set of security types, in different combinations to those listed in the table above. Note the following classifications:

  • Any security type incorporating ne (no encryption) signifies that the exchange of authentication credentials will be encrypted, but subsequent sessions are not.
  • VncAuth signifies that authentication is managed by a challenge-response mechanism, offering a measure of protection for credentials. Although it is offered when VNC password authentication is specified, it can only ever be chosen when VNC Server has a Free license key.
  • None signifies that authentication credentials will not be exchanged, and subsequent sessions are not encrypted.
  • SSPI and SSPIne have been superceded by SSO and SSOne respectively. There is no need to specify these security types when using VNC Server and VNC Viewer 5.x.
  • All other security types signify that both the exchange of authentication credentials and subsequent sessions will be encrypted using at least 128-bit AES.

As an example, consider the default security types for VNC Server set to use system authentication and with an encryption preference of ‘prefer on’:

RA2,RA2ne

If a VNC Viewer’s Encryption parameter is set to:

  • AlwaysMaximum, sessions are encrypted end-to-end and upgraded to 256-bit AES, providing VNC Server has an Enterprise license key. (Note connections to VNC Server with a Personal license key cannot be established.)
  • AlwaysOn or PreferOn, sessions are encrypted end-to-end using at least 128-bit AES.
  • PreferOff, the exchange of authentication credentials is encrypted using at least 128-bit AES (that is, VNC Viewer chooses the RA2ne security type), but subsequent sessions are not encrypted.

SendCutText

Platform Default value
All TRUE

Specify FALSE to prevent connected VNC Viewer users copying text on the VNC Server computer and pasting it to their own devices.

See also: AcceptCutText, ClipboardFT


ServiceDiscoveryEnabled

Platform Default value
All TRUE

Specify FALSE to prevent VNC Server automatically advertizing itself on Zeroconf-enabled local networks (for example, Bonjour or Avahi).


ShareFiles

Platform Subscription Default value
All Enterprise, Professional TRUE

Specify FALSE to prevent connected VNC Viewer users exchanging files with the VNC Server computer.

See also: ClipboardFT


SimulateSAS

Platform Mode Default value
Windows Service 1

Specify one of the following values to determine whether connected VNC Viewer users can send the Secure Attention Sequence (SAS, the Ctrl+Alt+Del key combination) to a VNC Server computer running Windows Vista or 7:

  • 0 to respect Windows group policy for SAS, which means that it cannot be sent to computers running most versions of Windows Vista and 7.
  • 1 to override group policy if it has not been explicitly set, which means SAS can be sent in most circumstances.
  • 2 to override group policy even if it has been explicitly set, which means SAS can always be sent.

See also: AcceptKeyEvents


SyslogFacility

Platform Default value
Linux user

Specify one of the following facilities for syslog to use, if available on the system:

  • daemon
  • auth
  • authpriv
  • security
  • local0..local7

Note

This parameter is ignored unless at least one Log entry has an output destination of syslog.


StopUserModeOnSwitchOut

Platform Subscription Mode Default value
Mac Enterprise User TRUE

Specify FALSE to keep VNC Server running when the current user account switches out. Note that not all third party applications may be displayed correctly to connected VNC Viewer users in switched out sessions, for example the Calculator app.

By default, VNC Server stops on switch out, and all VNC Viewer users are disconnected and cannot reconnect.


TcpListenAddresses

Platform Subscription Default value
All Enterprise  

Specify one or more IP addresses owned by the computer (separated by commas) to restrict VNC Server to listening on just those addresses for direct connections. Alternatively, specify:

  • 0.0.0.0 to listen on all IPv4 addresses, but not IPv6.
  • [::] to listen on all IPv6 addresses, but not IPv4.

By default, VNC Server listens on all available addresses for direct connections.

See also: AllowTcpListenRfb


UpdateCheckFrequencyDays

Platform Default value
All 1

Specify a number of days to wait before VNC Server automatically checks for critical software patches and product updates to which you are entitled.


UseCaptureBlt

Platform Default value
Windows TRUE

Specify FALSE to stop VNC Server monitoring updates to some semi-transparent windows such as certain menus and tooltips. This may improve performance or reduce cursor flicker but does mean connected VNC Viewer users do not have perfect picture fidelity.

See also: CaptureMethod


UsePam

Platform Default value
AIX FALSE

Specify TRUE to use PAM instead of LAM to authenticate connecting VNC Viewer users.

See also: PamApplicationName, PamAccountCheck


UserPasswdVerifier

Platform Default value Not after
All <platform-specific> 5.2.3

Note

This parameter has been replaced by Authentication from version 5.3.0.

Specify at least one of the following values to determine the authentication scheme:

  • NtLogon (Windows) or UnixAuth (Mac, Linux) to specify system authentication, which means that VNC Viewer users can connect by supplying the credentials of user accounts (local or domain) registered with the Permissions parameter. Note that an Enterprise or a Personal license key is required. More information on domain accounts under Linux is available here.
  • VncAuth to specify VNC password authentication, which means that VNC Viewer users can connect by supplying password(s) set directly in the Windows Registry or in VNC configuration files by the vncpasswd utility. Run the command vncpasswd -help for more information.
  • None to disable authentication, which means that VNC Viewer users can connect without having to supply a password.

Note

The SecurityTypes parameter must be set to a value or combination of values appropriate to the authentication scheme.

A comma-separated list of values can be specified in order to determine a fallback scheme. Consider the following example:

NtLogon,VncAuth

This means that, if system authentication fails for any reason, VNC password authentication is enforced.

To specify the single sign-on authentication scheme, set the SecurityTypes parameter to include a SS* security type and, under Linux and Mac, create an /etc/vnc/ssolib symlink as described here. The value of UserPasswdVerifier is then used as the fallback authentication scheme if single sign-on fails for any reason (see, for example, the VNC Viewer SingleSignOn parameter).

×