FAQ's HP Anyware Manager/Connector

Rate this Article
No votes yet

FAQ's - HP Anyware Connector  

General

Anyware Connector is an access hub installed on the customer environment that facilitates PCoIP Client connections to remote workstations. It operates in conjunction with HP Anyware Manager to provide user authentication and entitlement for remote workstation access, including MFA. It enables secure connectivity between users and the remote workstations by eliminating the need for a dedicated Virtual private network (VPN) by providing Network Address Translation (NAT) services for external users.

Anyware Connector enables Anyware Manager to broker desktops or workstations based in AWS, Google Cloud, Microsoft Azure, and on-premises environments. Based on your infrastructure, you may need more than one instance of the Connector. The Connector communicates with the Anyware Manager that orchestrates and manages system deployments.

Health Checks
  1. Client Health Check - Diagnostics and troubleshooting guide
  2. Host Health Check - Diagnostics and troubleshooting guide

Troubleshooting

The Certificate for the Domain Controller is Untrusted or Invalid

Causes:

If you receive this error it is likely that during an install attempt, when prompted for your domain, you accidently entered the ip address of your domain controller instead of the domain name. This entry must be your domain name (not domain controller or IP)

Resolution:

To fix this issue, it will not work to re-run the install command with the proper domain name because this info has been cached in the CASM deployment.

If this is a new deployment with no HP Anyware Connector:

  1. Delete the deployment from the CASM Dashboard
  2. Create a new deployment
  3. Re-run the install command with your new deployment token
  4. Ensure you enter your domain name when prompted instead of domain controller fqdn or IP

Reference: Errror-failed-to-find-anything-in-domain-dn-when-installing-cloud-access-connector

Failed to communicate with Connection Manager

Causes:
  1. The error generally means that the HP Anyware Connector was unable to communicate with the Domain Controller due to an LDAPS certificate issue. The HP Anyware Connector will only fetch the Domain Controller's certificate at the time of install or update. If the certificate has been changed or recently renewed the HP Anyware Connector will need to be updated to fetch the latest certificate.
  2. This error can also come if we use domain controller machine's IP address while updating or installing HP Anyware connector. 
Resolution:

Check that LDAPS is enabled on the Domain Controller, the LDAPS certificate is valid and not expired and the Domain Controller is using the correct certificate.

The easiest way to check is to make a TLS connection on the LDAPS port to the domain controller from the HP Anyware Connector VM. This will check if the HP Anyware Connector can reach the domain controller over port TCP 636.

openssl s_client -connect dc1.domain.com:636

also make sure that the certificate is not expired or otherwise invalid (ex: Incorrect Common Name or Subject Alternative Name)

openssl s_client -connect dc1.domain.com | openssl x509 -noout -dates

 

If the Domain Controller returns an expiration date in the past, then you will need to update the HP Anyware Connector to fetch the latest certificates.
See: How to update a HP Anyware Connector

  • This error can also come if we use domain controller machine's IP address while installing or updating HP Anyware connector. We should use FQDN of domain controller machine. In certificate subject name, we generally have full qualified domain name of the machine we are trying to connect, so if we use IP address to connect to that machine then certificate validation fails.
 
  • Unable to connect to myhost.cloudaccesslabs.com. Please enter a new name or IP address 

  • The network connection has been losts

  • This desktop has no sources available or it has timed out. Please try connecting to this desktop again later

Note: For all three of the issues mentioned above, please refer to the solution provided below

Causes:

For a PCoIP session to successfully start, certain ports must be open for the PCoIP Client, PCoIP agent, PCoIP Connection Manger and PCoIP Security Gateway to communicate.

When the PCoIP client is connecting directly to the PCoIP Agent and is not being brokered, the following ports must be open:

  • TCP port 443 (or TCP port 60443)
  • TCP port 4172
  • UDP port 4172, both receiving and sending on the agent from UDP port 4172 to any port number.
  • TCP 443 to Teradici Cloud Licensing or TCP 7070 to the local license server

When connecting via PCoIP Connection Manager and PCoIP Security Gateway, the following ports must be open:

  • Between the client and PCoIP Connection Manager
    • TCP port 443
  • Between the client and PCoIP Security Gateway
    • TCP port 4172
    • UDP port 4172, both receiving and sending on the PCoIP Security Gateway
  • Between the PCoIP Connection Manager and PCoIP Agent
    • TCP port 60443
  • Between the PCoIP Security Gateway (connector_cmsg on the CAS Connector) and PCoIP Agent
    • TCP port 4172
    • UDP port 4172
Resolution:

Blocked TCP 443

If the client shows the error "Error: Unable to connect to myhost.cloudaccesslabs.com. Please enter a new name or IP address." when trying to connect to the PCoIP Connection Manager to directly to a host, it maybe because of 

  1. Blocked TCP port 443
    During the installation process, the PCoIP Agent will open the required firewall ports in the Windows and Linux operating system default firewalls. If you are using Microsoft Windows, ensure the Windows Firewall service is running and re-install the PCoIP Agent. If you are using a 3rd party or non-default firewall ensure a rule is in to allow TCP port 443. 
  2. Blocked TCP port 60443 (backup port on direct client to host connection)
    During the installation process, the PCoIP Agent will open the required firewall ports in the Windows and Linux operating system default firewalls. If you are using Microsoft Windows, ensure the Windows Firewall service is running and re-install the PCoIP Agent. If you are using a 3rd party or non-default firewall ensure a rule is in to allow TCP port 60443. TCP port 60443 may be used as an alternative to TCP port 443 if another application requires TCP port 443.
  3. Fully qualified domain name cannot be resolved by DNS.
    Test DNS resolution in your operating system and confirm the fully qualified domain name resolves to the IP address. You can also try connecting via IP address.
Reference Link:  Troubleshooting-pcoip-session-connection-issues

 

Broker failed to allocate the resource

Cause:

Broker failed to allocate the resource is a timeout error when broker fails to connect. The Broker is not able to reach the agent. Reasons for the error include:

  1. Unknown/expired JSESSIONID
  2. One or more required ports are blocked; TCP 443, 60443, 4172 and UDP 4172.
  3. The trusted storage on Agent become corrupted. "This version of trusted storage is not supported."
  4. Other
Resolution:
1. Unknown/expired JSESSIONID

Review the broker logs under var/log.anyware-connector for the "Session-Log-ID found:" message that occurs before the (6606) error.

Load Balancer Issue:

  • Ensure the load balancer determines CM and client connect based on jsessionid.
  • If the load balancer round robins IPs based on time, a user that is mid-session establishment during the switch would be impacted by this. You could lengthen the round robin time, or remove it entirely.
  • See How to configure a Load Balancer for the HP Anyware Connector.

      

2. One or more required ports are blocked; TCP 443, 60443, 4172 and UDP 4172.
 

The following Ports are required for the HP Anyware. Make sure these ports are not blocked.

HP Anyware PCoIP AgentsPortPort NumberDirectionDescription

HP Anyware all PCoIP Agent versions (Standard & Graphics)

TCP

443

In

Client Authentication

 

TCP

4172

In

PCoIP Session Establishment

 

UDP

4172

In and Out

PCoIP Session Data

 

TCP

60443

In

Connection Broker Communication

 

TCP

443

Out

Cloud Licensing

 
3. The trusted storage on Agent become corrupted. "This version of trusted storage is not supported."

Review the PCoIP Agent logs on the host for entries similar to:
AGENT :Failed to start the Agent:  Failed to add FNE trial license source: [1,7E3,4,0[70000027,0,5002E]]  This version of trusted storage is not supported.

It means the local trusted storage has become corrupted.

  1. Delete the contents of C:\ProgramData\Teradici\PCoIPAgent\licensing\5 in Windows, or /var/lib/pcoip-agent/licensing/5 (requires root permissions) in Linux.
  2. Restart the appropriate agent service (PCoIP Graphics Agent or PCoIP Standard Agent on Windows, or pcoip-agent on Linux)
  3. If using HP Anyware Cloud Licensing (not using a local license server), re-register the host.
Other Reasons
  1. Please ensure that you are using the latest version of Client and Agent.
  2. If possible, try to establish a direct connection without using a broker, this will help us to find out if broker is the reason for the issue.
  3. If you still see the issue, open a support ticket from our support site, https://help.teradici.com/s/contactsupport
Reference Link: Error-broker-failed-to-allocate-the-resource

 

Communication to domain controller is not successful

Below reference link provides some know specific sources of failures, how to determine if it's that specific failure and if there's any known resolutions relating to the Cloud Access Connector Broker.

HP Anyware Manager logs can be found under:  
/var/log/cloud-access-connector  
https://www.teradici.com/web-help/pcoip_cloud_access_manager/CACv2/troubleshooting/troubleshooting_logs/

Reference link:  Cloud-access-connector-broker-error-codes

 

Password Complexity not met. More secure passwords typically have a combination of upper and lower case characters, digits and symbols 

We need to update the password when it expires or needs to be updated through the client, ensuring it meets the password complexity requirements specified by the domain policy

 

FAQ's - HP Anyware Manager

General

Anyware Manager is a HP management plane enabling users to configure, manage and monitor brokering of remote workstations. Anyware Manager enables highly-scalable and cost-effective Anyware Software deployments by managing cloud compute costs by brokering PCoIP connections to remote workstations, see Anyware Software for supported hosts.

Anyware Manager is offered in 2 variants – as an HP managed Service, and as an installable instance deployed and managed by the users in their on-premises or cloud environments.

Health Checks
  1. Client Health Check - Diagnostics and troubleshooting guide
  2. Host Health Check - Diagnostics and troubleshooting guide

Troubleshooting  

You are not entitled to any resource on this domain. Please enter another domain or ask your system administrator to assign a resource to you

If you are having difficulties connecting a PCoIP client to a remote host and are receiving a 4 digit error code, the following table will provide suggested next steps.  If you don't see the error code in the table below, open a cases with HP Anyware Global Support Services and provide both the Host and client logs.  

Reference Link: what-do-the-pcoip-session-4-digit-error-codes-mean-when-experience-issues-connecting

Error Code

Error Message

Description

Suggested Next Steps

6404

Error 6404: The connection broker failed to allocate the resource.  Please try again. If this failure persists, please report this failure to your system administrator.

There was a failure connecting the user to their remote host.  This could be that the request timed out or that the remote host could not be started.

RDP in and ensure the PCoIP Agent software is running on the remote host.

6405

Error 6405: PCoIP Agent failed to launch the remote session. Please try again. If this failure persists, please report this failure to your system administrator.

The session could not be initiated.

The remote host may be in the process of rebooting, try again in a few minutes.

RDP in and ensure the PCoIP Agent software is running on the remote host.

6603

Error 6603: Command failed. Please report this failure to your system administrator.

 

Ensure the PCoIP clients are responding to the DNS with correct information.

6604

Error 6604: Communication failed due to incompatible software versions. Your client or connection broker software needs to be upgraded. Please report this failure to your system administrator.

The client software or firmware and the PCoIP Connection Manager were incompatible with each other.

Ensure the user is using the most current available software or firmware, and that the PCoIP Connection Manager is the most current version available.

6607

Error 6607: Command failed due to a connection broker failure. Please try again. If this failure persists, please report this failure to your system administrator.

Multiple users not able to connect to AWS.

Amazon confirmed this error is an AWS Active Directory issue. 

6608

Error 6608: Command failed due to a connection broker communication failure. Please try again. If this failure persists, please report this failure to your system administrator.

 

Error 6608 can be seen if there is any connection timeout between different components of setup. Most probably it is a connection timeout between connection manager and broker during authentication phase. Also ensure your Domain Controllers are available.

6609

Error 6609: Command failed due to a PCoIP Agent failure. Please try again. If this failure persists, please report this failure to your system administrator.

 

 

The PCoIP Agent software is running but was unable to establish a session prior within the timeout period.

This error can be caused by the "interactive logon banner" being enabled in group policies. 

  • Try again.  If the problem persist, RDP into the host and ensure that the PCoIP Agent is running and stop any processes that are consuming excessive CPU cycles.

  • Disable the "interactive logon banner" if enabled.

6611

Error 6611: Command failed due to a PCoIP Connection Manager failure. Please try again. If this failure persists, please report this failure to your system administrator.

 

Ensure that all directory controllers in your pool are online, reachable, and resolvable by the PCoIP Connection Manager.

Error 6611, a failed connection message specific to the PCoIP Connection Manager?

 

6615

Error 6615: Communication failed due to incompatible capabilities between the client and the connection broker. Your client or connection broker software needs to be upgraded. Please report this  to your system administrator.

Software incompatibility between the client software, and the PCoIP Connection Manager.

Ensure the user is using the most current available software or firmware, and that the PCoIP Connection Manager is the most current version available.

6904

You are not entitled to any resource on this domain. Please enter another domain or ask your system administrator to assign a resource to you.

There is no host server associated with the user in the DNS system

Contact your administrator to ensure that the user is associated with an host server through the configured DNS system or Active Directory.

6905

User authentication failed. Too many failed attempts to login.

The user failed to login due to their account being locked as a result of too many failed login attempts as per corporate policy set in Active Directory.

Administrator/User to follow corporate procedures to reset the account.

6907

Your password has expired and must be changed.

The user's password is expired and as a result they were unable to login.

Administrator/User to follow corporate procedures to change the user's password.

6908

Error 6908: Failed to authenticate. The connection broker detected an unexpected authentication method. Please report this failure to your system administrator.

There was a failure in communication between the PCoIP Connection Manager.

Ensure the PCoIP Connection Manager is the most current version available.

 
Installation Error

<TBD>

Login issues

Password Configuration

You need to configure a password to install Anyware Manager instance on your system. The password adds a layer of protection to the system and is required when accessing the Web Admin Console. To meet the security standards, the password should be 8 characters in length with minimum 1 uppercase, 1 lowercase, 1 number and 1 special character.

Password Special Character

The % character and whitespaces are not supported.

Anyware manager installer requires Web Admin password and prompts for it, if this behavior is not preferred the password could be passed to the install command using:

--manager-admin-password

In case you forget the password, you can reset it using the following flag with the configure command:

--reset-admin-password

Password File

The /opt/teradici/casm/temp-creds.txt file that has the ability to store Anyware Manager password is not created any more by the installer. If you forget your password, you need to reset it using the --reset-admin-password flag.


To retrieve the password, execute the following shell command:

#!/bin/bash
    #set -ex
    VAULT_ADDR=https://127.0.0.1:8200
    VAULT_TAR_FILE=casm-vault.tar.gz
    VAULT_BACKUP_DIR=casm-vault
    VAULT_LOGS_DIR=/opt/teradici/casm/vault/logs
    VAULT_TAR_FULL_PATH=$VAULT_LOGS_DIR/$VAULT_TAR_FILE
    VAULT_TOKEN=`/usr/local/bin/kubectl get secrets/vault-secret --template={{.data.roottoken}} | base64 -d | xargs printf "%s\n"`
    VAULT_PATH=secret/
    VAULT_CONTAINER_PATH=/vault
    # This is the way to get it if we want to get it dynamically
    #VAULT_PATH=`/usr/local/bin/kubectl get secrets/app --template={{.data.VAULT_SECRET_PATH}} | base64 -d | xargs printf "%s\n"`
       # Get all keys from vault and dump them into files
       /usr/local/bin/kubectl exec deploy/vault -- sh -c "$( cat <<EOF
    #!/bin/sh
    set -e
    export VAULT_ADDR=$VAULT_ADDR
    export VAULT_SKIP_VERIFY=true
    vault login $VAULT_TOKEN > /dev/null
    [ -d "$VAULT_BACKUP_DIR" ] && rm -rf $VAULT_BACKUP_DIR
    mkdir $VAULT_BACKUP_DIR
    for key in \$( vault kv list $VAULT_PATH | tail +3  ); do
    vault kv get -format=json -field=data  $VAULT_PATH\$key | grep password
    done
    EOF
    )"

Reference admin guide link:

https://www.teradici.com/web-help/anyware_manager/current/anyware_manager/awm_default_installation/#password-configuration

 

Add additional admins

The following section outlines the steps to setup and configure SAML for Anyware Manager using the Anyware Manager Admin Console:

  1. From the account icon click Multi Admin Settings to create a new multi-admin configuration.
  2. Register Anyware Manager as a SP with your IDP. You can obtain the Assertion Consumer Service URL and Audience URL from the Configuration Info section. This information should be used to configure your IDP to recognize Anyware Manager as a SP.
  3. Configure Anyware Manager to be able to connect to your IDP. Obtain the Identity Provider Login URL and Identity Provider Certificate from your IDP and configure the IDP Settings section accordingly. Alternatively you can also upload an IDP XML Metadata file in the IDP Settings section.
  4. Enable Multi-Admin configuration to use configured IDP. Make sure that your configuration is enabled by toggling the switch at the bottom of the Configuration Info section and confirm that you see the Configuration is enabled message.
  5. Configure Anyware Manager Assertion Attributes:
    • To allow individual user as admin, go to the Allowed Admins section and add the UPN associated to that user. Anyware Manager validates the UPN against the NameId SAML assertion attribute in the SAML response received from the IDP.
    • To allow user groups. Go to the Allowed Groups section and configure the Group Attributes accordingly. This configures Anyware Manager to validate the Group Name and/or Group ID SAML attribute assertions in the SAML response received from the IDP.
    • You can configure either Allowed Admins or Allowed Groups or both in the Multi-Admin Settings.
  6. Allowed users can now access Anyware Manager by opening the Anyware Manager login page URL which is available in the Configuration Info section. Alternatively, users can also directly login via the IDP using the Direct login via identity provider URL also available on the Configuration Info section.

 

Reference admin guide link:

https://www.teradici.com/web-help/anyware_manager/current/anyware_manager/admin_console/awm_saml_configuration/#configure-anyware-manager-as-a-saml-service-provider-to-enable-multi-admin