FAQ's Security
General
Anyware Software Client Security Modes
Installing the Internal Root CA Certificate in a Anyware Client
Multi-Factor Authentication (MFA)
Third-Party Multi-Factor Authentication
Anyware Connector Multi-Factor Authentication
FAQ's Security
What are the required TCP/UDP ports for PCoIP technology
Certificate does not work with Firmware Version
SSL Certificates Renewal Assistance
Anyware Software Client Security Modes
The Anyware Software Client uses certificates to verify the identity of the host to which it connects. The security mode is configured by the security_mode setting in the Anyware Client configuration file or by setting its value in the pre-session user interface.
Three security mode options are available:
| Level | Setting value | Description |
|---|---|---|
| High | 2 | Full verification is required; users cannot connect unless a certificate can be verified. |
| Medium | 1 | Warn but allow (default). If the certificate cannot be verified, warn the user, but allow them to connect. |
| Low | 0 | Always allow; verification is not required. |
PCoIP sessions are always encrypted
Your PCoIP session is still encrypted and secure if you connect with security mode 0 or 1. The red padlock icon indicates that the certificate presented by the host is not signed by a trusted certificate authority in the client’s certificate store, not that the session is insecure.
Setting the Security Mode
To set the security mode using the pre-session interface:
- Disconnect any active PCoIP sessions and return to the pre-session interface.
Click the gear icon to open the settings window:
- Click Advanced in the left side menu, and find Security Modes in the right panel.
Select the desired security mode.
To set the security mode programmatically:
- Open
%appdata%\Teradici\Teradici PCoIP Client.iniin a text editor. Add a line that specifies the
security_modeand sets the level:security_mode = <value>...where
<value>is the integer corresponding to the desired security level (0, 1, or 2).- Save the file and close the editor.
Installing the Internal Root CA Certificate in a Anyware Client
Please follow the provided links for additional details
Installing Certificates on Anyware Client for MacOS - PCoIP Software Client for macOS
Installing Certificates on Anyware Client for Windows - PCoIP Software Client for Windows
Installing Certificates on Anyware Client for Linux - PCoIP Software Client for Linux
Multi-Factor Authentication (MFA)
Please follow the provided links for additional details
Multi-Factor Authentication (MFA) - HP Anyware Manager
Third-Party Multi-Factor Authentication
Please follow the provided links for additional details
Third-Party Multi-Factor Authentication - HP Anyware Manager
Anyware Connector Multi-Factor Authentication
Anyware Connector Multi-Factor Authentication - HP Anyware Manager
FAQ's Security
MC user login issue
Login to the PCoIP Management Console web interface
System Administrators can manage PCoIP Management Console Enterprise user accounts by clicking SETTINGS from the top menu and then clicking the "AUTHENTICATION > USERS " tab.
Filter the user account (Local or Active Directory User) that you are facing issue with login
Verify the user status.
The user should be ENABLED(Yes)
What are the required TCP/UDP ports for PCoIP technology?
Answer:
The TCP and UDP ports assigned for PCoIP technology are shown in the tables below.
Please note that IANA assigned port 4172 to the PCoIP protocol.
HP Anyware License Server
| HP Anyware License Server | Port | Port Number | Direction | Description |
|---|---|---|---|---|
| Online License Server | TCP | 7070 | In | License Validation |
| Online License Server | TCP | 443 | Out | License Activation |
| Offline License Server | TCP | 7070 | In | License Validation |
HP Anyware
The following Ports are required for the HP Anyware
| HP Anyware PCoIP Agents | Port | Port Number | Direction | Description |
|---|---|---|---|---|
| HP Anyware all PCoIP Agent versions (Standard & Graphics) | TCP | 443 | In | Client Authentication |
| TCP | 4172 | In | PCoIP Session Establishment | |
| UDP | 4172 | In and Out | PCoIP Session Data | |
| TCP | 60443 | In | Connection Broker Communication | |
| TCP | 443 | Out | Cloud Licensing |
PCoIP Management Console Port for PCoIP Devices
The information below summarizes the ports used by the PCoIP Management Console to manage PCoIP hardware devices.
| Connection Type | Port | Port Number | Description |
|---|---|---|---|
| PCoIP Tera2 Zero Client 5.0 or newer with PCoIP Management Console 2.0 or newer | TCP | 5172 | Management Protocol |
| PCoIP Tera1 and Tera2 PCoIP Zero Client/PCoIP Remote Workstation Card with PCoIP Management Console 1.x.x | TCP | 50000 | CMI (PCoIP Control and Management Interface used by the PCoIP Management Console) |
The following additional ports are required for the Management Console.
| Management Console Version | Port | Port Number | Description |
|---|---|---|---|
| PCoIP Management Console all versions | TCP | 443 | Web Interface |
| PCoIP Management Console all versions** | TCP | 22 | SSH connection |
| PCoIP Management Console 1.x.x | TCP | 21, 20 | FTP connection (for firmware and OSD logo transfers) |
PCoIP Zero Clients
For PCoIP Zero Client to PCoIP Remote Workstation Card connections, the PCoIP protocol uses the following ports:
| Connection Type | Port | Port Number | Description |
|---|---|---|---|
| PCoIP Remote Workstation Card with PCoIP Zero Client on firmware 4.1 (or later), Tera2 PCoIP processor-embedded devices | TCP | 4172 | Supports a double NAT environment. |
| UDP | 4172 (UDP encapsulated) | Supports a double NAT environment. | |
| PCoIP Remote Workstation Card with PCoIP Zero Client on firmware 3.1.x (or later) | TCP | 50001, 4172 | - |
| UDP | 4172 * or IPsec ESP (no port #'s available) | - | |
| PCoIP Remote Workstation Card with PCoIP Zero Client on firmware 3.0.x | TCP | 50001, 50002 | - |
| UDP | 50002 * or IPsec ESP (no port #'s available) | - | |
| PCoIP Remote Workstation Card with PCoIP Zero Client on firmware 2.x (or older) | TCP | 50001 | - |
| UDP | IPsec ESP (no port #'s available) | - |
Note: For more on NAT environments, see Using Network Address Translation (NAT) with PCoIP Zero Client and Remote Workstation Cards.
For PCoIP Zero Client to VMware View connections, the PCoIP protocol uses the following ports:
| Connection Type | Port | Port Number | Description |
|---|---|---|---|
| View 4.5 (or later) with PCoIP Zero Client on firmware 3.1.x (or later) | TCP | 4172 | - |
| UDP | 4172 | - | |
| View 4.0/4.0.1 with PCoIP Zero Client on firmware 3.1.x (or later) | TCP | 50002 | - |
| UDP | 50002 | - | |
| View 4.0/4.0.1 with PCoIP Zero Client on firmware 3.0.x | TCP | 50002 | - |
| UDP | 50002 | - |
VMware Horizon View - PCoIP Component
Consider this port number when transitioning between View 4.0.x and View 4.5 (or later).
| Connection Type | Port | Port Number | Description |
|---|---|---|---|
| View 4.5 (or later) | TCP | 4172 | - |
| UDP | 4172 | - | |
| View 4.0/4.0.1 | TCP | 50002 | - |
| UDP | 50002 | - |
Other VMware View Agent Ports:
To use both a PCoIP Zero Client and a PCoIP Remote Workstation Card (in a workstation or physical PC) with VMware View, the PCoIP protocol uses these additional ports:
| Connection Type | Port | Port Number | Description |
|---|---|---|---|
| PCoIP Zero Client/Remote Workstation Card *** | TCP | 20, 21 | FTP |
| 80 | HTTP | ||
| 427 | SLP ** | ||
| 443 | HTTPS | ||
| UDP | 53 | DNS | |
| 67 | DHCP | ||
| 68 | DHCP | ||
| 123 | NTP ** | ||
| 427 | SLP ** |
To connect with a Horizon (View) Client, the following additional port is used:
| Connection Type | Port | Port Number | Description |
|---|---|---|---|
| Horizon Clients with View Agent 4.5 (or later) | TCP | 32111 | USB redirection (not required for PCoIP Zero Client to View connections) |
| 9427 | Multi-media redirection (not required for PCoIP Zero Client to View connections) |
Note: For more information, see Network connectivity requirements for VMware View Manager 4.5 and later (1027217).
Notes:
* Ports not visible if the PCoIP session uses IPSEC ESP packet format.
** Optional
*** Applicable to firmware release 1.x, 2.x, 3.x
Certificate does not work with Firmware Version
When encountering certificate errors, it is important to check whether the zero client has a valid time. Refer to the following link for instructions on configuring time settings:
Link URL: https://teradici.com/web-help/pcoip_zero_client/tera2/current/configuring_time_settings/
SSL Certificates Renewal Assistance
Before updating SSL certificates, ensure that you aware of the requirements for creating and updating certificates, see Assigning a Certificate to the Connector. You can update your Connectors SSL certificate and key by running the following command and specifying your SSL certificate and SSL key information:
Cloud-access-connector on UBUNTU
sudo cloud-access-connector update --ssl-cert path/to/cert --ssl-key path/to/key
Eg., sudo cloud-access-connector update --ssl-cert /tmp/xyz_cert.pem --ssl-key /tmp/xyz_key.pem
Anyware-connector on Rocky/RHEL
sudo anyware-connector configure --tls-cert path/to/cert --tls-key path/to/key
Eg., sudo anyware-connector configure --tls-cert /tmp/xyz_cert.pem --tls-key /tmp/xyz_key.pem
Certificate format: The SSL certificate must be a PEM file. A CRT formatted file will not work with the update command above.
This command will enable you update your SSL certificate information without having to re-install the Connector. This command also enables you to change your self-signed certificate to a signed certificate.
Domain Controller Certificates
If all DC certificates have expired, the Anyware Connector will stop working. An error indicator will display on the Connectors page when a Anyware Connector has a DC with expired certificates.
A warning indicator that details the current state of the DC certs will display on the same page when a Anyware Connector has a certificate that less than a week away from expiring.
Vault Issues
Please access the following link for information on vault issues and their corresponding solutions
Vault Issues - HP Anyware Manager