Transition from existing CACv2 on Ubuntu to Anyware Connector RHEL/ROCKY

Rate this Article
Average: 5 (1 vote)

Anyware connector runs on RHEL/Rocky so there is no in-place upgrade or migration in that sense but there are a couple of steps that could make the transition to Anyware Connector smooth and straightforward:

How to minimize downtime on transition

RHEL/Rocky Linux Connector (Anyware Connector) can co-exist with the Ubuntu Connector in the same deployment of the Anyware Manager, it is highly recommended that you allow the new RHEL/Rocky Linux Connector (Anyware Connector) to run for some time to make it's working properly before retiring the old Connector to minimize the downtime

What's the difference in Connectors?

 

Feature

Ubuntu Connector (CACv2)

Anyware Connector

OS

Ubuntu 18.04

RHEL/ROCKY 8,9

Packaging

Tar file

RPM package

Deployment

Docker Swarm

Kubernetes

Configuration method

Command line flags, and in command prompt for missing flags

Configuration files and/or command line flags.

Command return error, if required flags/parameters, are missing.

Required Configuration Flags

--token

--domain

--sa-user

--sa-password

--accept-policies

--self-signed (or --ssl-key and –ssl-cert)

--token

--domain

--sa-user

--sa-password

--accept-policies

--self-signed (or --tls-key and --tls-cert must be provided)

--manager-insecure (required using self-signed cert)

--ldaps-ca-cert ( or –ldap-insecure)

--computers-dn (for the 1st Connector of the deployment)

--users-dn (for the 1st Connector of the deployment)

 

MFA Configuration

MFA is bypassed for connection requests from internal PCoIP Clients

Internal and external clients had different MFA configurations

When you enable MFA for the Connector for RHEL/Rocky Linux, all PCoIP Clients authenticated through the Connector are prompted to enter MFA credentials. Previously, only the external PCoIP Clients were prompted for MFA information.

Federated User Authentication/SSO

Available

Available

AD Service Accounts

The Active Directory service account username and password is required

The Active Directory service account is optional.

 

AD LDAPS Certificate

If --ldaps-ca-cert is not provided during installation, the AD CA certificate is automatically collected by the Connector by connecting to each DC on the LDAPS port, and the certificate is saved to the Connectors CA certificate store automatically.

The Active Directory CA certificate must be provided to the installer by entering the information with the --ldaps-ca-cert parameter or by editing the configuration file.

Skip the certificate validation when connecting to the Active Directory using the following flag --ldaps-insecure.

For testing purposes the Active Directory connection can use LDAP in the plaintext form with the --enable-ldap-plaintext flag

Connector tls key and cert flag

--ssl-key and --ssl-cert

--tls-key and --tls-cert

Installation Commands

Download the installer from teradici.com and extract the package, then run the install and configuration command with the required flags: sudo /usr/sbin/cloud-access-connector install <flags>.

The installer will then prompt for mandatory flags if you do not provide them in the command.

For Online Env:

·         Add the Connector repository.

·         Configure SELinux

·         Install the Connector RPM with the following command: sudo dnf install -y cas-connector.

For Darkside Env:

 

·         Download and Transfer the Installation Files

·         Extract the file and run install script

 

Next steps are same for online and dark side env

Generate the Connector Token

 

Configure the Connector with flags or configuration files using the following command: sudo /usr/local/bin/cas-connector configure <flags or path to config file>.

The configure command will fail with a missing parameter error if the mandatory flags or parameters are missing

Update Configuration

sudo /usr/sbin/cloud-access-connector update <flags to be updated>

sudo /usr/local/bin/cas-connector configure <flags or path to config file>.

Upgrading Connector

sudo /usr/sbin cloud-access-connector update <flags to be updated if any are required>

sudo dnf update cas-connector and sudo /usr/local/bin/cas-connector upgrade

Diagnose Commands

You can diagnose remote workstation connectivity, and Active Directory connectivity by running the diagnose command: Cloud Access Connector Connectivity Issues - Teradici CAS Manager

The connectivity diagnosis command is not supported. Users can check the health of the Connector by running the sudo /usr/local/bin/cas-connector diagnose --health and can create a support bundle by running the sudo /usr/local/bin/cas-connector diagnose --support-bundle command.

 

 

 

Use flag --diagnose --maintenance-mode on This mode sets the Connector in maintenance mode and no new sessions are accepted.

--diagnose --maintenance-mode off This flag turns off the Connector maintenance mode and new sessions are accepted

Internal/External Session Detection

Typically, CAC will work without any special configuration, but in some cases you may need to explicitly set the --internal-client-cidr and --external-client-cidr so that sessions get treated correctly (eg, NATing external connections from a Firewall).

  • If you don't have external users, then you could disable the security gateway by passing --enable-security-gateway=false, otherwise, it's set to true enabled by default.

Set the Public IP using the --external-pcoip-ip flag

 

There are three flags to use for the Connector's network. They are; --cluster-cidr to set cluster CIDR,default is 10.42.0.0/16, --servcie-cidr to set service CIDR, default is 10.43.0.0/16. and --cluster-dns to set cluster dns ip address, default is 10.43.0.10, it has to be part of of the service-cidr

 

 

 

 

Other helpful flags:

--debug*

 

In this release, Anyware Connector is configured to support either external or internal PCoIP connections, two separate Connectors are required to support both connections respectively.

 

 

 

Before Installing Anyware Connector

Preparing the Connector Server on RHEL/Rocky Linux

This guide outlines the minimum system requirements and network configurations for installing the Anyware Connector on Rocky Linux and RHEL.

https://anyware.hp.com/web-help/anyware_manager_connector/24.07/anyware_connector/prerequisite/awc_connector_server/

Minimum System Requirements:

  • Operating System: Rocky Linux 8,9 or RHEL 8,9
  • RAM: Minimum 8 GB
  • CPU: 4 vCPUs
  • Storage: 60 GB VM storage
  • Additional Requirements:
    • If using LVM and /var is mounted on a separate volume, the volume must have at least 30 GB of free space to ensure successful installation and optimal performance of the CAS Manager.

 

Network Requirements:

To set up the Anyware Connector, ensure the following network and environmental conditions are met:

  • Internet Access: Required for online installation (for Darksite offline installations, refer to the https://anyware.hp.com/find/product/hp-anyware/2024.07/anyware-connector-rhelrocky-linux
  • FQDN Resolution: The server must be able to resolve the AD domain FQDN.
  • Active Directory (AD): You must have an AD user account within the designated Connector domain admin group to access the Admin Console.
  • Ports Configuration/Firewall Configuration: The virtual machine must have the following ports enabled:
    • TCP 443
    • TCP/UDP 4172
    • TCP 60443
    • TCP 636
    • If using a local license server, open TCP 7070.

 

  • SSH Access: Console access to the virtual machine via SSH is required.
  • Superuser Privileges: You need sudo privileges on the server.
  • Network Configuration: The server's networking settings (including the IP address) must remain static while the Connector is operational.

 


Ports and Component Connections

Component          

Allow

Port/Protocol

Source/Destination Component

Descriptions

Connector

Inbound

443 TCP

From PCoIP Clients and administrative web browsers.

For users to negotiate connections to their remote workstations. For accessing the Management Interface for (legacy) management of Anyware Manager.

Connector

Outbound

443 TCP

To CAM Service, PCoIP Cloud License Server and to SumoLogic.

To sync AD information to the CAM service and call Anyware Manager APIs related to negotiating PCoIP sessions. To verify the license activation code during the Connector installation. For log aggregation for support purposes.

Connector

Outbound

60443 TCP

To remote workstations.

Prepares PCoIP Agents for a new user session.

Connector

Inbound

4172 TCP/UDP

From PCoIP Clients.

For PCoIP Sessions with users that are outside of the corporate network.

Connector

Outbound

4172 TCP/UDP

To remote workstations.

For PCoIP Sessions with users that are outside of the corporate network.

Connector

Outbound

636 TCP

To Domain Controllers.

To authenticate users, and query user and computer information.

Connector

Outbound

1812 UDP (This port is configurable)

To RADIUS Server. (Optional)

For authentication against RADIUS Server.

Connector

Outbound

53 TCP/UDP

To DNS.

Domain name resolution.

PCoIP License Server

Inbound

7070 TCP (This port is configurable)

From remote workstations.

For license activation and verification from PCoIP Agent if the PCoIP License Server is used instead of the Cloud License Server.

 

Firewall Configuration for Anyware Connector

Ensure that the firewall within the virtual network of the VM is properly configured for the CAS Connector to operate.

Check Firewall Status:
You can confirm the firewall status by running the following command: sudo systemctl status firewalld

  • If firewalld is active, follow the steps below.
  • If firewalld is inactive and your organization doesn't require a firewall for the CAS Connector VM, skip this step and proceed to the remaining steps.

View Firewall Configuration:
To check the existing firewall configuration, run:
sudo firewall-cmd --list-allConfigure the Firewall:
Execute the following commands to configure the firewall properly:

  • sudo firewall-cmd --permanent --add-port=6443/tcp (for the virtual network flannel)
  • sudo firewall-cmd --permanent --add-port=4172/tcp (PCoIP SG TCP port)
  • sudo firewall-cmd --permanent --add-port=4172/udp (PCoIP SG UDP port)
  • sudo firewall-cmd --permanent --zone=trusted --add-source=10.42.0.0/16 (subnet for the pods)
  • sudo firewall-cmd --permanent --zone=trusted --add-source=10.43.0.0/16 (subnet for the services)
  • sudo firewall-cmd --reload (to apply changes)

 

Configuring and Verifying DNS Resolution for the Connector Server

To install and configure Anyware Manager or Connector on RHEL or Rocky Linux, ensure there’s a solid connection between the machine and the Active Directory Domain Controller.

 

https://anyware.hp.com/web-help/anyware_manager_connector/24.07/anyware_connector/prerequisite/awc_dnsname_config/

 

Verification Steps:

  • SSH into the machine and verify DNS resolution and network connectivity by running:
    ping <domain FQDN> and ping <remote workstation FQDN>

DNS Troubleshooting: If the ping doesn't work, follow these steps using the example IP of 10.162.0.42 for the domain example-domain.com:

  1. Disable Auto-configuration of DNS:
    Prevent DNS settings from being overwritten on reboot:
    • nmcli device modify eth0 ipv4.ignore-auto-dns yes
    • nmcli connection modify eth0 ipv4.ignore-auto-dns yes
  2. Edit Network Configuration Scripts:
    Add the DNS server IP addresses and optionally a DNS suffix:
    • Open the file: sudo vi /etc/sysconfig/network-scripts/ifcfg-eth0
    • Add/edit the following lines:
      DNS1=10.162.0.42
      DNS2=<Secondary DNS IP if available>
      DOMAIN=example-domain.com
      PEERDNS=no
  3. Restart Network Manager:
    Restart the network manager to apply the changes:
    sudo systemctl restart NetworkManager
  4. Verify DNS Settings:
    Check that the desired DNS servers and search suffixes are correct:
    cat /etc/resolv.conf
    If necessary, add the following:
    search example-domain.com
    nameserver 10.162.0.42
  5. Test DNS:
    Test DNS resolution by pinging the domain FQDN and the IP address of the Domain Controller.

 

Configuring Active Directory (AD) Service Account Permissions

To successfully install the Connector, ensure the following Active Directory Service Account permissions and configurations:

  • The server must be able to resolve the AD domain.
  • Supported Domain Controller Servers for the Connector:
    • Windows 2016 Server with secure LDAP (LDAPS) enabled.
    • Windows 2012 R2 Server with secure LDAP (LDAPS) enabled.
    • Windows 2019 Server with secure LDAP (LDAPS) enabled.

Disable Swap

           The connector is built on K3s, and it's strongly recommended to disable swap on a Linux system to avoid memory issues in a production environment. It is recommended to disable swap on a Linux system to avoid memory issue.

You can do the following to disable the swap:

  • If this is a new install and you want to disable swap permanently on the Connector server:

o          Edit the /etc/fstab file and add '#' in front of any line that contains the word 'swap'.

  • If you have an existing Connector and is running into a memory issue, run the following command to disable the swap immediately. (This is not retained after a system reboot):

o          sudo swapoff -a

If Swap is required for any reason, it should be greater or equal to the size of the RAM. There is no guarantee that it works, so it is strongly recommended to disable it.

 

Preparing the Required Connector configuration information

Write down and save the data that are required for installing and configuring Connector later on, it may take time to get them from your IT department. Here is the list of required and commonly used flags.

 

What

Description

R/O

Flags

Token

Generate the token from the Anyware Manager, details below

Required

--token

Domain

The domain where the Connector and Remote Workstations are at, e.g. myexample.com

Required

--domian

AD service account

Active Directory Service Accounts - Teradici CAS Manager

Required

--sa-user

--sa-password

Policies

Have read and accepted EULA

Required

--accept-policies

Cert for ldaps Connection to AD

Either one of the mentioned flag is required.

If --ldaps-ca-cert flag is not used, you should use either --ldaps-insecure to skip certificate validation, or --enable-ldap-plaintext for test purposes

Required

--ldaps-ca-cert

--ldap-insecure

 

Cert for TLS connection to CAS Manager

Not required if --manager-insecure flag is used

Required, if Anyware Manager is using self-signed cert, and –manager-insecure is not used to skip the validation.

Required, if Anyware Manager is using private CA signed cert that is not known to Connector

Must in PEM format and including a single cert

Required

--manager-ca-cert

--manager-insecure

tls-key and tls-cert for Connector

Not required if installing Connector for testing and --self-signed flag is used

Required for production use to establish secure connection from PCoIP client to Connector

Must in PEM format and including a single cert

Required

--tls-key, tls-cert

--self-signed

The base DN to search for computers and users within AD

Not Required if one or more Connectors were installed and had AD synced in the same deployment

Required if this is the first Connector in the deployment.

Optional

--computers-dn

--users-dn

Domain Controller

Not required if DNS auto resolve from the --domain works as desired

Optional

--domain-controller

Security Gateway

For external connection, By default, the security gateway for external traffic is set to true.For internal traffic disable this feature using the --enable-security-gateway=false flag

 

 

--enable-security-gateway

 

Notes:

  • LDAPS Certificate: If --ldaps-ca-cert is not used, you can skip the certificate validation with --ldaps-insecure, or use --enable-ldap-plaintext for testing purposes.
  • TLS Connection: Ensure certificates for CAS Manager are in PEM format, containing a single cert. These are crucial for production environments.
  • Security Gateway: The security gateway for external traffic is enabled by default. To disable it for internal traffic, use the flag --enable-security-gateway=false.

 

 

Self Signed Certificate:

Use the following command to check if the certificate is installed:

 

 

Installing Anyware Connector

Internet-Connected Environment Setup:

  1. Adding the Connector Repository:
    Download the repository link from the website or check if the repository is already added by running this command:
    sudo dnf repolist teradici-anyware-manager*
  2. Configuring SELinux Components:
    To check if SELinux is installed, run:
    sudo dnf list installed | grep anyware-manager-selinux
    If SELinux is not installed, follow these steps:
  3. Installing the Connector RPM:
    Install the Connector RPM and generate sample configuration files by running this command:
    sudo dnf install -y anyware-connector

 

Darksite (Offline) Environment Setup:

  1. Download and Transfer the Files:
    Download the Darkside tar.gz file using a direct download or a script. Transfer the file to the target darksite machine.
  2. Extract the Installation File:
    After transferring the file, extract it by running:
    sudo tar xzvf anyware-connector-offline_Linux.tar.gz
    This creates a new folder that contains two files:
    • anyware-connector-offline-deps.tar.gz
    • install.sh (the installation script)
  3. Install Anyware Connector Offline:
    To install the Connector offline, navigate to the folder and run:
    cd /PATH_OF_EXTRACTED_INSTALLATION_FILES
    Then run:
    sudo ./install.sh

 

Generating a Connector Token

To generate a Connector token, follow these steps:

  1. In the console sidebar, click Connectors.
  2. Click the Add Connector button (the "+" sign next to Connectors heading).
  3. Enter the required information:
    • Select or create the deployment you want to add the Connector to.
    • Enter the name of the Connector.
  4. Click Generate.
  5. Copy the Connector token using the copy icon.

 

Configuring the Anyware Connector for Anyware Manager

After installing the Connector RPM and generating a Connector token, configure the Connector to work with the Anyware Manager by running the following commands:

 

https://anyware.hp.com/web-help/anyware_manager_connector/24.07/anyware_connector/awc_connector_install/

 

Quick Start Configuration:

  1. Set the token environment variable using:
    export token=<token from Anyware Manager Admin Console>
  2. Run the configuration command:

/usr/local/bin/anyware-connector configure \

 --manager-url 'https://ipv4.Anyware.Manager.Installable' \

 --token $token \

 --domain 'testlab.internal' \

 --sa-user 'sampleuser' \

 --sa-password 'passwordstring' \

 --accept-policies \

 --self-signed \

 --ldaps-insecure \

 --manager-insecure

 

Typical Configuration:

  1. Set the token environment variable using:
    export token=<token from Anyware Manager Admin Console>
  2. Run the configuration command:

sudo /usr/local/bin/anyware-connector configure \

 --manager-url 'https://ipv4.Anyware.Manager.Installable' \

 --token $token \

 --domain 'testlab.internal' \

 --sa-user 'sampleuser' \

 --sa-password 'Passwordstring' \

 --ldaps-ca-cert '/home/rocky/DC-Cert.pem' \

 --computers-dn 'CN=Computers,DC=testlab,DC=internal' \

 --users-dn 'CN=Users,DC=testlab,DC=internal' \

 --external-pcoip-ip 'public.ipv4.sg.ip' \

 --self-signed \

 --accept-policies \

 --manager-insecure

 

 

 

MFA & FedOauth+SSO) Setup

 

 

 

 

Connector multifactorAuthentication flags

Configuration File Parameter

Flag

Description

enable

--enable-mfa

This flag can be used if you wish to enable multi-factor authentication. Multi-factor authentication will be enabled for all connections, both internal and external.

Internal users will be required to enter the multi-factor authentication code for the Connector when connecting to the PCoIP Client.

It is recommended to install separate Connectors for internal vs external connections. A boolean parameter.

port

--radius-port

This is the RADIUS server port. If not specified, the default port (1812) is used. If --radius-server is specified, then this flag is optional. A string parameter.

server

--radius-server

The FQDN or IP address of the RADIUS server to use for MFA.

This flag is optional. A string parameter.

sharedSecret

--radius-secret

The shared secret used for configuring RADIUS authentication.

If --radius-server is specified then this flag is required. A string parameter.

 

Federated Authentication

Configuration File Parameter

Flag

Description

--enable-oauth

Boolean

Enables Oauth authentication. (Default=False)

--id-provider-url

String

Sets the identity provider URL. Example: --id-provider-url https://provider-1234567890.okta.com. This flag is required if --enable-oauth is true.

--oauth-client-id

String

Gets the Client ID from the Identity Provider. This flag is required if --enable-oauth is true.

--fa-url

String

The Federated Auth Broker URL. for example https://cac-vm-fqdn:port

--oauth-flow-code

String

Specify the oauth flow / grant type (default "OAUTH_FLOW_CODE_WITH_PKCE"). "OAUTH_FLOW_CODE_WITH_PKCE" is the only supported oauth flow for now

--enable-entitlements-by-upn

Boolean

Enables/Disables searching entitlements by UPN. This flag is required to be true, if --enable-oauth is true.

 

Federated Authentication With Single Sign-On

Configuration File Parameter

Flag

Description

Configuration File Parameter

Flag

Description

--sso-signing-csr-ca

String

Path to copy intermediate CA Certificate.

--sso-signing-csr-key

String

Path to the intermediate key.

--sso-signing-crl

String

Path to a certificate revocation list.

--sso-enrollment-url

String

Gets the URL to the Active Directory Certification Authority Web Enrollment Service.

--sso-enrollment-domain

String

Domain of the user to access Active Directory Certification Authority Web Enrollment Service.

--sso-enrollment-username

String

Username for accessing Active Directory Certification Authority Web Enrollment Service.

--sso-enrollment-password

String

Password for the username to access Active Directory Certification Authority Web Enrollment Service.

--sso-enrollment-certificate-template-name

String

Name of the certificate template that Active Directory Certificate Services (AD CS) uses to sig CSR.