FAQ's Security

Rate this Article
No votes yet

General

        Anyware Software Client Security Modes

        Installing the Internal Root CA Certificate in a Anyware Client

        Multi-Factor Authentication (MFA)

        Third-Party Multi-Factor Authentication

        Anyware Connector Multi-Factor Authentication

 

FAQ's Security

      MC user login issue

      What are the required TCP/UDP ports for PCoIP technology

      Certificate does not work with Firmware Version

      SSL Certificates Renewal Assistance

      Vault Issues

      

Anyware Software Client Security Modes

The Anyware Software Client uses certificates to verify the identity of the host to which it connects. The security mode is configured by the security_mode setting in the Anyware Client configuration file or by setting its value in the pre-session user interface.

Three security mode options are available:

LevelSetting valueDescription
High2Full verification is required; users cannot connect unless a certificate can be verified.
Medium1Warn but allow (default). If the certificate cannot be verified, warn the user, but allow them to connect.
Low0Always allow; verification is not required.

PCoIP sessions are always encrypted

Your PCoIP session is still encrypted and secure if you connect with security mode 0 or 1. The red padlock icon indicates that the certificate presented by the host is not signed by a trusted certificate authority in the client’s certificate store, not that the session is insecure.

Setting the Security Mode

To set the security mode using the pre-session interface:

  1. Disconnect any active PCoIP sessions and return to the pre-session interface.
  2. Click the gear icon to open the settings window:

    Settings icon

  3. Click Advanced in the left side menu, and find Security Modes in the right panel.
  4. Select the desired security mode.

    Set client log level

To set the security mode programmatically:

  1. Open %appdata%\Teradici\Teradici PCoIP Client.ini in a text editor.
  2. Add a line that specifies the security_mode and sets the level:security_mode = <value>

    ...where <value> is the integer corresponding to the desired security level (0, 1, or 2).

  3. Save the file and close the editor.

 

Installing the Internal Root CA Certificate in a Anyware Client

 
Please follow the provided links for additional details

 

Installing Certificates on Anyware Client for MacOS - PCoIP Software Client for macOS

Installing Certificates on Anyware Client for Windows - PCoIP Software Client for Windows

Installing Certificates on Anyware Client for Linux - PCoIP Software Client for Linux 

 

Multi-Factor Authentication (MFA)

 
Please follow the provided links for additional details

Multi-Factor Authentication (MFA) - HP Anyware Manager

 

Third-Party Multi-Factor Authentication

 
Please follow the provided links for additional details
Third-Party Multi-Factor Authentication - HP Anyware Manager

 

Anyware Connector Multi-Factor Authentication

Anyware Connector Multi-Factor Authentication - HP Anyware Manager

 

FAQ's Security

 

MC user login issue

  1. Login to the PCoIP Management Console web interface 

  2. System Administrators can manage PCoIP Management Console Enterprise user accounts by clicking SETTINGS from the top menu and then clicking the "AUTHENTICATION > USERS " tab.  Enterprise Authentication Page 

  3. Filter the user account (Local or Active Directory User) that you are facing issue with login 

  4. Verify the user status. 

  5. The user should be ENABLED(Yes) 

 

What are the required TCP/UDP ports for PCoIP technology?

 

Answer:

The TCP and UDP ports assigned for PCoIP technology are shown in the tables below.

Please note that IANA assigned port 4172 to the PCoIP protocol.

HP Anyware License Server

HP Anyware License ServerPortPort NumberDirectionDescription
Online License ServerTCP7070InLicense Validation
Online License ServerTCP443OutLicense Activation
Offline License ServerTCP7070InLicense Validation

HP Anyware

The following Ports are required for the HP Anyware

HP Anyware PCoIP AgentsPortPort NumberDirectionDescription
HP Anyware all PCoIP Agent versions (Standard & Graphics)TCP443InClient Authentication
 TCP4172InPCoIP Session Establishment
 UDP4172In and OutPCoIP Session Data
 TCP60443InConnection Broker Communication
 TCP443OutCloud Licensing

PCoIP Management Console Port for PCoIP Devices

The information below summarizes the ports used by the PCoIP Management Console to manage PCoIP hardware devices.

Connection TypePortPort NumberDescription
PCoIP Tera2 Zero Client 5.0 or newer with PCoIP Management Console 2.0 or newerTCP5172Management Protocol
PCoIP Tera1 and Tera2 PCoIP Zero Client/PCoIP Remote Workstation Card with PCoIP Management Console 1.x.xTCP50000CMI (PCoIP Control and Management Interface used by the PCoIP Management Console)

 

The following additional ports are required for the Management Console.

Management Console VersionPortPort NumberDescription
PCoIP Management Console all versionsTCP443Web Interface
PCoIP Management Console all versions**TCP22SSH connection
PCoIP Management Console 1.x.xTCP21, 20FTP connection (for firmware and OSD logo transfers)

PCoIP Zero Clients

For PCoIP Zero Client to PCoIP Remote Workstation Card connections, the PCoIP protocol uses the following ports:

Connection TypePortPort NumberDescription
PCoIP Remote Workstation Card with PCoIP Zero Client on firmware 4.1 (or later),
Tera2 PCoIP processor-embedded devices
TCP4172Supports a double NAT environment.
UDP4172 (UDP encapsulated)Supports a double NAT environment.
PCoIP Remote Workstation Card with PCoIP Zero Client on firmware 3.1.x (or later)TCP50001, 4172-
UDP4172 * or IPsec ESP (no port #'s available)-
PCoIP Remote Workstation Card with PCoIP Zero Client on firmware 3.0.xTCP50001, 50002-
UDP50002 * or IPsec ESP (no port #'s available)-
PCoIP Remote Workstation Card with PCoIP Zero Client on firmware 2.x (or older)TCP50001-
UDPIPsec ESP (no port #'s available)-

 

Note: For more on NAT environments, see Using Network Address Translation (NAT) with PCoIP Zero Client and Remote Workstation Cards.

For PCoIP Zero Client to VMware View connections, the PCoIP protocol uses the following ports:

Connection TypePortPort NumberDescription
View 4.5 (or later) with PCoIP Zero Client on firmware 3.1.x (or later)TCP4172-
UDP4172-
View 4.0/4.0.1 with PCoIP Zero Client on firmware 3.1.x (or later)TCP50002-
UDP50002-
View 4.0/4.0.1 with PCoIP Zero Client on firmware 3.0.xTCP50002-
UDP50002-

 

VMware Horizon View - PCoIP Component

Consider this port number when transitioning between View 4.0.x and View 4.5 (or later).
 

Connection TypePortPort NumberDescription
View 4.5 (or later)TCP4172-
UDP4172-
View 4.0/4.0.1TCP50002-
UDP50002-

 

Other VMware View Agent Ports:

To use both a PCoIP Zero Client and a PCoIP Remote Workstation Card (in a workstation or physical PC) with VMware View, the PCoIP protocol uses these additional ports:
 

Connection TypePortPort NumberDescription
PCoIP Zero Client/Remote Workstation Card ***TCP20, 21FTP
80HTTP
427SLP **
443HTTPS
UDP53DNS
67DHCP
68DHCP
123NTP **
427SLP **

To connect with a Horizon (View) Client, the following additional port is used:

Connection TypePortPort NumberDescription
Horizon Clients with View Agent 4.5 (or later)TCP32111USB redirection (not required for PCoIP Zero Client to View connections)
9427Multi-media redirection (not required for PCoIP Zero Client to View connections)

 

Note: For more information, see Network connectivity requirements for VMware View Manager 4.5 and later (1027217).

Notes:

* Ports not visible if the PCoIP session uses IPSEC ESP packet format.
** Optional
*** Applicable to firmware release 1.x, 2.x, 3.x

 


Certificate does not work with Firmware Version
When encountering certificate errors, it is important to check whether the zero client has a valid time. Refer to the following link for instructions on configuring time settings: 

Link URL:  https://teradici.com/web-help/pcoip_zero_client/tera2/current/configuring_time_settings/

 

SSL Certificates Renewal Assistance

Before updating SSL certificates, ensure that you aware of the requirements for creating and updating certificates, see Assigning a Certificate to the Connector. You can update your Connectors SSL certificate and key by running the following command and specifying your SSL certificate and SSL key information:

Cloud-access-connector on UBUNTU

sudo cloud-access-connector update --ssl-cert path/to/cert --ssl-key path/to/key
Eg., sudo cloud-access-connector update --ssl-cert /tmp/xyz_cert.pem --ssl-key /tmp/xyz_key.pem

Anyware-connector on Rocky/RHEL

sudo anyware-connector configure --tls-cert path/to/cert --tls-key path/to/key
Eg., sudo anyware-connector configure --tls-cert /tmp/xyz_cert.pem --tls-key /tmp/xyz_key.pem


Certificate format: The SSL certificate must be a PEM file. A CRT formatted file will not work with the update command above.

This command will enable you update your SSL certificate information without having to re-install the Connector. This command also enables you to change your self-signed certificate to a signed certificate.

Domain Controller Certificates

If all DC certificates have expired, the Anyware Connector will stop working. An error indicator will display on the Connectors page when a Anyware Connector has a DC with expired certificates.

A warning indicator that details the current state of the DC certs will display on the same page when a Anyware Connector has a certificate that less than a week away from expiring.

 

Vault Issues

Please access the following link for information on vault issues and their corresponding solutions

Vault Issues - HP Anyware Manager